September 22 2019
Our commitment to privacy
At ESSSuper, we take privacy seriously. We are committed to protecting the personal information we collect and hold, to complying with our legal obligations under privacy law and to achieving best practice in the way we handle personal information.
As a public sector body, ESSSuper must comply with the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic). ESSSuper seeks at all times to comply with the Privacy Principles set out in these Acts. However, ESSSuper may seek approval of the Victorian Information Commissioner to handle personal information in a way which may not be consistent with the Information Privacy Principles set out in the Privacy and Data Protection Act 2014, where this is in the public interest.
ESSSuper also has specific information related obligations under legislation applicable to the superannuation Funds it administers.
This document outlines ESSSuper's practices and policies for the collection, use and management of the personal information that it collects. In this document, 'personal information' means information or an opinion about a person whose identity is apparent or can reasonably be ascertained from the information. Unless otherwise stated, references to 'personal information' include 'health information'.
Why do we need to collect personal information?
In order to administer the ESSSuper Funds and to comply with our obligations under relevant law, we need to collect personal information about our members and about members' family members, dependants and other beneficiaries.
We also collect and hold personal information about our employees, our contractors and service providers and their employees, and about other individuals with whom we deal in the course of performing our functions.
Wherever possible we allow individuals to deal with us anonymously. For example, we can often answer general queries about our services without requiring identification. However, the nature of our functions is such that we can usually only deal with identified individuals. We can only open accounts and transact on accounts with individuals who satisfy proof of identity requirements. Proof of identity is generally required when opening an account, making membership enquiries, changing membership details, requesting a benefit and/or terminating membership.
What information do we collect?
ESSSuper collects and holds a range of personal information about applicants for membership and about current and former members of the Funds it administers. This information includes:
- Identifying information, such as name, contact details information and tax file number;
- Video images and voices during interactive web based seminars and education appointments;
- Employment details, including positions held with past and present employers;
- Information relating to superannuation benefits and entitlements;
- Information we need to assess our performance and the suitability of the products and services we provide;
- Health information, such as medical and rehabilitation opinions and reports, and medical history; and
- Financial information such as salary, benefits and contributions history, detailed financial records, including bank statements, tax details and income tax returns (which we may use to provide advice about retirement planning or other Fund features); and other information that we need in order to provide our services.
We may collect information about a member's spouse or partner, children and other dependants, for example when a member nominates that person as a beneficiary in the event of their death or where the person makes an application for the payment of death or pension benefits.
Generally, personal information relating to membership is collected directly via the membership application and other membership-related forms. Information may also be collected through our website when using the secure member portal.
However, there are situations where it may not be practicable to collect personal information directly, in which case information may be collected from third parties. For example:
- If a member elects to roll over other superannuation into an ESSSuper Fund, we will collect information about the member from the other Fund or Fund(s);
- We may collect information relevant to superannuation entitlements from an insurer; We may obtain medical reports or other health information from medical and rehabilitation practitioners;
- We may receive information about superannuation accounts from the ATO in order to track any lost or unclaimed superannuation or to enable consolidation of existing superannuation accounts;
- Employers will generally provide information to us when establishing and maintaining an employee’s membership in the Fund. (Employers may be required to do this under relevant superannuation laws.) We may also seek employment, salary, and contribution details from a current or former employers in order to administer superannuation entitlements; and
- Where we suspect that misleading or fraudulent information has been provided about a member we may engage third parties to carry out investigations, which may involve use of surveillance or other information gathering, where this is permitted by law.
Our use of personal information
We use the personal information we collect from members and prospective members for a range of purposes connected with the administration of the Fund and providing superannuation related services. This includes for the purposes of:
- Assessing and processing membership applications;
- Assisting employers to meet their superannuation related obligations;
- Investing Funds and administering a member's superannuation entitlements;
- Providing financial advice and information about superannuation, insurance, retirement planning and other services (including advice and information provided by our business partners);
- Assessing or calculating a member's entitlements or eligibility (including for early release or ongoing disability benefits);
- Informing or providing information to other persons in accordance with any written nomination or directions provided to ESSSuper;
- Paying and/or transferring superannuation benefits; and
- Undertaking research and other activities to enable us to improve the services we provide.
We may use health information for some of these purposes where it is necessary to do so, for example to determine member medical classifications or to assess an entitlement to a disability or ill-health benefit.
We also use personal information about our contractors, service providers and business partners for a range of purposes connected with the performance of our functions and the provision of services to members.
We may use personal information for the purposes of sending our members information about products or services available from us or from our business partners. If we do this, we will give members an opportunity to opt out of receiving such communications in future, and members that choose to opt out will be removed from our commercial marketing lists. Note that we will still send members information about our services if we need to do so in order to perform our functions under legislation.
Our disclosure of personal information
ESSSuper may disclose members' personal information to other persons or organisations in connection with the administration of the Fund or for the purpose of enabling those other persons or organisations to provide services to ESSSuper.
ESSSuper does not disclose members' personal information to other organisations for commercial marketing purposes.
The types of persons or organisations that personal information may be disclosed to include:
- A member's current or former employer;
- A member's spouse or partner, dependants and/or nominated beneficiaries;
- Organisations that provide insurance or underwriting services to members who have or apply for insurance cover;
- Organisations (such as Link Advice Pty Ltd) that support our staff who provide financial advice to our members;
- Service providers and consultants, including mail-houses, direct marketing contractors and providers of IT, data storage, website hosting, printing, postal and courier services;
- Health service providers including doctors and specialists;
- Victorian and Commonwealth Government agencies that have regulatory or oversight responsibilities in relation to ESSSuper or the Funds we administer;
- Courts or tribunals;
- Professional advisers, including lawyers, actuaries, auditors and consultants;
- Other service providers or financial institutions that a member may direct us to communicate with or make payment to (for example: health Funds, utilities and telecommunications providers, banks, superannuation Funds and trustee companies); and
- Organisations engaged in superannuation related research and/or analysis.
We usually obtain express written consent before we disclose personal information, unless the disclosure is required or authorised by law. However, we may rely on implied consent where we have informed a member before collecting their personal information that the information may be disclosed to particular types of organisations for particular purposes. We will always obtain express consent before we disclose health information.
Some persons or organisations to which we disclose personal information may be located outside Victoria. Where that is the case, where reasonably practicable, we will ensure that the organisation is subject to a law or binding scheme or arrangement that ensures that the personal information will be protected to the same extent as it would be protected under the Privacy and Data Protection Act 2014.
Which laws require us to collect personal information?
Victorian legislation, including the Emergency Services Superannuation Act 1986, require ESSSuper to collect personal information, including tax file numbers of members and other persons entitled or claiming to be entitled under the Funds it administers.
Other relevant legislation includes:
- Government Superannuation Act 1999
- State Superannuation Act 1988
- State Employees Retirement Benefits Act 1979
- Superannuation (Portability) Act 1989
- Transport Superannuation Act 1988
- Parliamentary Salaries and Superannuation Act 1968.
Commonwealth legislation may also require ESSSuper to collect personal information for purposes connected with law enforcement and crime prevention, taxation or regulation of superannuation providers. This includes:
- Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- Income Tax Assessment Acts 1936 and 1997
- Superannuation Contributions Tax (Assessment and Collection) Act 1997
- Superannuation Industry (Supervision) Act 1993
- Social Security (Administration) Act 1999.
- Veterans' Entitlements Act 1986
Consequences of not providing personal information
If a member does not provide or allow us to collect personal information that we need, we may not be able to perform our functions or provide the services the member would expect0 from us. The consequences of this will vary depending on the circumstances. For example, if a member elects not to provide personal information we require:
- We may not be able to process the member’s application for membership or provide that member with the full range of member services;
- We may not be able to establish a member’s, or a beneficiary's, entitlement to a superannuation benefit;
- We may not be able to accurately calculate the value of a member’s superannuation benefit;
- We may need to cancel that member’s entitlement to a pension or benefit;
- A member may have to pay more tax than may otherwise apply; or
- We may not be able to contact a member when we need to.
How do we protect the personal information we hold?
ESSSuper has in place a number of procedures, physical hardware and software safeguards to protect personal information.
Where practicable, we use secure methods of communication and backup systems to protect information from misuse, loss, unauthorised access, modification and disclosure. This includes use of encrypted email, although this may not be practicable for all communications, particularly with members and their representatives.
Our information systems and files are kept secured from unauthorised access. We have procedures in place to ensure that our staff only have access to personal information in our databases to the extent that they need it in order to perform their job.
Our staff, service providers and business partners have been informed of the importance we place on protecting members’ privacy and their role in helping us to do so. All of our staff who handle personal information are required to undergo privacy training.
We require our contracted service providers to comply with privacy law and to ensure that any personal information we provide to them is protected. We generally require contractors and service providers who may be required to handle sensitive customer information to undergo privacy training.
In order to ensure that the personal information we hold is accurate and up-to-date, we have systems to ensure that when we receive new or updated information about an individual, all relevant records are updated. From time-to-time we review our data holdings to ensure the accuracy of personal data. This may involve data matching with personal information held by other agencies.
We are required to take reasonable steps to destroy personal information when it is no longer required. We do this by reviewing and removing out-of-date files and databases (subject to any legal obligation to retain information and for archiving in compliance with the Public Records Act 1973).
ESSSuper will develop and comply with data protection plans as are required under the Privacy and Data Protection Act 2014.
Dealing with ESSSuper online
This policy also applies to personal information that individuals email to us or provide when using our website.
We use Google Analytics to understand website usage to help shape improvements to our service, for more information please refer to: How Google uses data when you use our partners' sites or apps.
Note that there are some risks in transmitting information across the internet. While ESSSuper only collects and displays personal information in encrypted sessions using secure authentication for access, we cannot always ensure the security of information transmitted to us via online channels. If members are concerned about conveying sensitive material to ESSSuper over the internet, consideration should be given to contacting us by telephone, mail or in person.
Access to your personal information
Members have the right to access and correct personal information we hold about them. This right is subject to some exceptions, and we may be permitted to charge for providing access to this information.
In addition, under legislation relating to the superannuation Funds we administer, we are required to provide access to the contents of any medical report we obtain after 1 July 2010 within 28 days of receiving it. There are some exceptions to this obligation (including where the report was given to us in confidence or we believe that providing the report would pose serious threat to life or health).
Requests for access to personal information are generally processed under the Freedom of Information Act 1982. Under that Act we may refuse access on certain grounds, including where providing access may affect the privacy or the commercial or financial interests of others.
If a request involves supply of documents, in accordance with the Freedom of Information Act 1982, we may be permitted to charge for providing this information. We will contact the person seeking access to inform them of any charge before we provide access to the information.
If you believe that there are errors in the information we hold, please let us know and we will investigate and, if necessary, correct any inaccuracies. Applications for access and correction of personal information should be addressed to:
The Freedom of Information Officer
GPO Box 1974
Melbourne Vic 3001
Queries and complaints
Any queries relating to privacy should, in the first instance, be referred to the ESSSuper Member Service Centre.
Phone: 1300 650 161 (for emergency services members)
Phone: 1300 655 476 (for state super members)
Written queries and complaints should be addressed to the Privacy Officer:
The Privacy Officer,
GPO Box 1974
Melbourne VIC 3001
Any complaint will be investigated promptly. Complainants may be asked to provide further information in relation to the complaint to assist the complaints process. Complainants will be notified of the outcome of the complaint, as soon as practicable, after the investigation is completed. If the complainant feels that ESSSuper, through its internal complaints procedure, has not adequately dealt with a complaint regarding privacy, then a complainant may contact the Victorian Information Commissioner. The Commissioner’s contact may be found at https://ovic.vic.gov.au
If a complaint relates to health information held by ESSSuper and the complainant is not satisfied that ESSSuper, through its internal complaints procedures, has adequately dealt with the complaint, then a complainant may seek to contact the Health Complaints Commissioner. Contact details for the Health Complaints Commissioner may be found at https://hcc.vic.gov.au/.
This policy is current from July 2019.