The Privacy Act 1988 (Cth) (‘the Act’) regulates the way in which CareSuper is required to handle your personal information, including your health information. The Act contains 13 Australian Privacy Principles (APPs), which set out the requirements in relation to the collection, use, disclosure, quality and security of personal and sensitive information.
The APPs form part of CareSuper's procedures and policies and regulate the way in which your member account will be administered and managed.
Why does CareSuper need my personal information?
We collect your personal information to enable us to:
- Open and administer your superannuation or pension account and any insurance related to it
- Verify your identity, or the identity of any other person authorised to deal with your account
- Communicate with you and provide you with information about products and services available to you as a CareSuper member,
- Communicate with you about benefits, options and products available to you,
- Provide information, tools and education about superannuation and retirement, and
- Undertake member research, using membership data analysis and direct marketing activities including by both CareSuper and third parties.
If you choose not to provide your personal information, CareSuper may not be able to establish or properly administer your superannuation or pension account or provide you with some of the services we offer. For example, if you do not provide your tax file number, CareSuper may not be able to accept contributions for you and you may pay additional tax on your employer and/or salary sacrifice contributions. In some circumstances, failure to provide identity information may also limit the services that CareSuper can provide to you.
There may be some limited circumstances where you do not wish to identify yourself, when dealing with CareSuper; for example, to anonymously report possible fraudulent or criminal activity relating to CareSuper. In such instances you may be able to deal with CareSuper using a pseudonym or anonymous reporting mechanism.
What personal information does CareSuper collect and hold?
The type of personal information collected and held by CareSuper includes, but is not limited to, your name, address, telephone number, date of birth, tax file number, email address and information about any people you have nominated to receive your benefits in the event of your death. This extends to collecting information about persons authorised to deal with your account. Health information may also be collected if you apply for insurance cover with CareSuper and/or when you claim some types of benefits.
Over time, this information will be supplemented by financial and other information necessary to administer your CareSuper account and communicate with you in a relevant and timely manner — for example, a change in your investment options, amounts transferred into and from your account, or a variation to your insurance cover. CareSuper also collects your personal information when you use the CareSuper website, including member and employer online services.
CareSuper will collect your personal information directly from you where practicable but may also collect personal information from third parties where you would reasonably expect us to collect such information — for example, but not limited to, medical information for an insurance claim. There may also be circumstances when your employer may provide your details to CareSuper on your behalf — for example, to inform us about your employment status and the contributions paid on your behalf. Information may also be collected from medical practitioners or your employer to assess your eligibility for insurance cover and/or to assess your claim for some types of benefits.
How does CareSuper deal with unsolicited personal information?
Where we receive personal information that we did not request and/or require for the purposes of administering your super account or relating to services provided by CareSuper, that unsolicited information will be either destroyed or de-identified, as required by law.
How is my personal information used and disclosed?
There are other service providers and organisations that provide services to CareSuper and its members which may also be provided with your personal information.
In some circumstances, we may need to disclose your personal details to third parties — including your employer, legal advisers and beneficiaries — in relation to death benefits.
We may also use your personal information for research and analysis for product and service improvement. CareSuper may engage third parties to conduct this research on our behalf.
The entities with whom we may share your information include:
- Mailing companies — organisations that are contracted by CareSuper or CareSuper’s administrator to mail and/or email your member statements, reports and other correspondence
- Financial institutions and banks to process your direct debit requests
- Entities that provide underlying investments or financial products that you choose as part of your CareSuper product
- Research organisations to obtain member or employer feedback and opinions for CareSuper
- Archiving companies — organisations that are contracted to ensure that CareSuper's documents are stored in a secure environment
- IT providers, digital data back-up and data storage companies — organisations that are contracted by CareSuper to provide IT and IT security services, and to back-up and securely store offsite data held electronically for the Fund
- Auditors, insurance providers (including re-insurers) and brokers, consultants, legal and other professional advisers who provide services to CareSuper
- Government departments, such as the Australian Taxation Office
- Identity verification services to confirm your ID documentation, subject to your consent
- Third party organisations that provide or offer to provide products and services to CareSuper members.
Where your personal information is disclosed to service providers and other organisations, we seek to ensure that it is handled in accordance with the APPs. Strict procedures are in place to ensure that the information disclosed to our service providers and other organisations is kept confidential and secure and that they have appropriate systems in place to comply with the requirements of the privacy laws. CareSuper will only provide personal information to the extent necessary for these purposes to be achieved.
CareSuper only permits the storage of personal information outside Australia where contractual arrangements are in place, including adequate data protection provisions to ensure that your information is handled in a manner consistent with the Australian Privacy Principles, or you have consented to the transfer of the information.
We are required by law to disclose your personal information from time to time. These circumstances include obligations to:
- Australian Taxation Office (ATO)
- Australian Prudential Regulation Authority (APRA)
- Australian Securities and Investments Commission (ASIC)
- Australian Transaction Reports and Analysis Centre (AUSTRAC)
- Australian Financial Complaints Authority (AFCA)
- Other superannuation funds for the purpose of rollover or transfer of benefits
- Your spouse/de facto, in accordance with the Family Law Act requirements
- The Courts or law enforcement agencies
- Any other government authority responsible for administering the laws or any other governing rules regarding superannuation funds or the availability of income tax concessions to superannuation funds.
How long will you store my personal information?
Minimum record keeping time periods apply to certain information retained by the Trustee, including personal and financial information. CareSuper will keep your personal information for the required statutory period of seven years from when we cease to provide services to you, as required by law. We may keep information longer. This will enable us to refer to your information when corresponding with you, or in connection with legal or regulatory proceedings.
Disclosure relating to insurance
If you apply for insurance cover, the details you provide on any of CareSuper’s insurance application forms, including your health information, is then provided to the insurer to assess your eligibility for any new or increased insurance cover.
If you make an insurance claim, you will need to provide additional personal and health information in accordance with the claims procedures of CareSuper and the insurer. To assess your claim, your personal and health information may be disclosed by the insurer to medical practitioners and other experts, nominated by the insurer.
If there is any dispute about an entitlement to insured benefits, the insurer or CareSuper may disclose your personal information to legal advisers and other parties involved in the claim or the resolution of complaints processes. By signing the relevant application for insurance or claim forms, you consent to the use and disclosure of your personal information for these purposes. Your personal or health information will not be used or disclosed for any other purpose without your consent.
Read more about how the insurer protects your privacy here.
Disclosure relating to third party organisations
CareSuper uses outsourced service providers, like the administrator indicated above, to assist in providing superannuation and pension services to you and has also developed relationships with third party organisations that we believe can offer you value-added products and services outside of super.
From time to time, CareSuper may contact you about products and services that are available to you as a member of CareSuper, and/or disclose your personal information to third party organisations to enable them to offer to provide such products and services. Any third parties, located in Australia, that receive your personal details from us, are bound by the Privacy Act when holding, using and disclosing your personal information.
To help you get information about these extra services, we may use or disclose your personal information in various ways, depending on the third party involved:
- Financial planning services
You may be contacted directly by one of CareSuper’s dedicated Financial Planners — in writing, via email or over the telephone — about how financial planning services can help you. Financial advice is offered through CareSuper’s relationship with Industry Fund Services Limited (IFS) and is provided by an authorisation under the Australian financial services licence of IFS, ABN 54 007 016 195, AFSL 232514. Financial advice obtained over the phone, or through MemberOnline, is provided by Mercer Finanical Advice (Australia) Pty Ltd (MFAAPL), ABN 76 153 168 293, AFSL 411766. If you require more complex personal financial advice, our financial planners, may refer you to an external advice service provided by Australian Unity Personal Financial Services Limited, ABN 26 098 725 145, AFSL 234459. For more information, visit caresuper.com.au.
- Additional member benefits
Additional member benefits are also available through our relationship with third party providers including, but not limited to:
- ME – home loans and other banking products
- ISinsured (Industry Super insurance) — general insurance products
- NIB, HCF and GMHBA Super Members Health Plan — health insurance products
- OneVue — services relating to the Direct Investment option
- Challenger — services relating to the Guaranteed Income Product
- Findex — SMSF wind-up service and online tax returns
- The New Daily — online news service
- Entities that provide underlying investments or financial products which you choose as part of your CareSuper product.
- Use of mail houses
CareSuper uses mail houses to send you fund information, statements, super updates and, from time to time, information about third party products and services. When this occurs, a non-disclosure agreement is signed by the mail house to ensure that your information is not disclosed to any other party and remains under the control of CareSuper. Your details will never be given to marketing databases.
- Direct marketing or service provision
We may provide personal information to other selected third-party organisations for the purposes of direct marketing or the provision of services.
In these circumstances CareSuper will ensure that disclosure of personal information is limited to the minimum information required.
CareSuper will ensure that any third-party organisations involved in direct marketing or the provision of services provide an opt out functionality to members. This is in accordance with the APPs, which require any organisation marketing directly to you, to provide a mechanism by which to opt out of receiving marketing material. If you do not want your data to be made available for third party direct marketing or service provision purposes you can also contact CareSuper to opt out.
Please note the listing above is indicative and does not provide an exhaustive list of the third parties with which CareSuper deals. Disclosure may extend to other third parties consistent with the usages detailed under ‘How is my personal information used and disclosed.’
Where you directly authorise a third-party accountant, financial planners, attorney or legal representatives, in writing, to access member account information held by CareSuper, this information will be provided in accordance with the authorisation..
How can I ensure I do not receive this additional information?
If you do not want to receive any marketing material from us (which includes any information about our additional member benefits and about our financial planning services), or do not wish your information to be used for third parties’ direct marketing purposes, please call us on 1300 360 149, send us a message at caresuper.com.au/getintouch, or write to us at Locked Bag 20019, Melbourne Vic 3001. If you previously advised that you were happy to receive this information but have since changed your mind, please also contact us.
Security and personal information
How can I update my personal information?
CareSuper relies extensively on the accuracy of the personal information you or your employer(s) provide. If any of your details have changed, or if you have any concerns about the accuracy, completeness and/or relevance of your personal information, please contact CareSuper on 1300 360 149. You can also view and change some of your personal details by using our secure MemberOnline facility via our website caresuper.com.au.
How can I access my personal information held by CareSuper?
Under the Australian Privacy Principles, you have a right to know what personal information we hold about you and to obtain access to it or correct it, free of charge. You may access your information via:
- Phoning CareSuper on 1300 360 149
- Contacting the Privacy Officer at caresuper.com.au/getintouch
- Writing to Locked Bag 20019 Melbourne Vic 3001.
The Privacy Act provides limited circumstances in which some or all access to your information may be denied. If this applies to you, we will explain this to you when you ask for your information.
How is my personal information kept secure?
CareSuper will ensure that your personal information is kept secure and is accessed only by authorised personnel for the purposes specified in this Policy or as consented to by you. CareSuper has stringent security measures in place to protect your personal information in accordance with legal requirements, and the staff members who handle your personal information have the knowledge, skills and commitment to protect it from unauthorised access or misuse.
In the event that personal information held by CareSuper or its service providers is lost, unintentionally shared/divulged or subjected to unauthorised access or misuse, we have a Data Breach Response Plan which sets out our approach to assess and contain the incident, understand the effects and take steps to reduce any potential harm to members or participating employers, such as recovering lost data or implementing additional access controls and procedural upgrades to ensure incidents don’t recur.
We may need to notify you as required in the Act and report the data breach to the Office of the Australian Information Commissioner (OAIC).
Security and our websites
All member information held in our computer systems is protected from unauthorised access through the use of user log-ons, secure passwords, and other security procedures.
You can only access the MemberOnline services with your email and password. You should keep your password secure. It is also good practice to change it periodically. You can do this online by using the 'change password' facility. You should also ensure that you log off once you have finished accessing the MemberOnline services, otherwise other persons may be able to access your personal details.
You should be aware that there are security risks in transmitting personal information via the Internet. You should assess these potential risks before deciding whether to use any online services. If you do not wish to transmit information over the internet, you may provide the information to CareSuper by mail, telephone, or by on-site visit.
When you browse the CareSuper websites, our website service provider will log the following information:
- The server address
- Top level domain name (e.g. .com, .gov, .net)
- The date and time of the website visit
- The pages looked at
- The documents downloaded and
- Type of browser used.
Information we collect when you browse our website and mobile app
Cookies are sent to your browser from a website, stored on your computer's hard drive, and are later recalled when you revisit that website, or when a request is made by third-party services such as Google or Facebook.
‘First Party Cookie data’ may store a range of data points originating from our website, such as which webpage/s you visited, the amount of time you spent on a particular page or whether you decided to submit a form to us.
‘Third Party Cookie data’ originates outside of our website, including online publishers (like news websites) or social media channels and are used to track the delivery of CareSuper advertisements. Depending on the source, data is typically aggregated to adhere to privacy and General Data Protection Regulation (GDPR) policies. GDPR is the European Union’s data law which applies to organisations around the world.
We collect Cookie data
Cookies are used to anonymously identify and save information about your activity on our website. We can then use this information to segment data, track the behaviour of visitors to our website, or personalise your overall experience on our website.
We use this data
If Cookie data is accepted by your browser, it may be pooled into a sampled data set (depending on the nature of the service provider or data model), and used for a range of advertising activities, including segmentation, targeting, tracking and data analysis. This helps us to make informed data-driven decisions and ensure the best possible experience for visitors to our website.
FIRST PARTY DATA
First party data explained
First party data is any stream of data where the audience’s information is collected directly by us. This could include — but is not limited to — the likes of your activity on our website, or when a contact form is completed directly on our website or a subdomain of our website.
Third-party services (e.g. Google Analytics, Google Optimize, Salesforce, etc.) can also be used to collect first party data, provided we’ve obtained the information from our installation or establishment of the third-party service.
First party data is important
First party data is collected to enable us to obtain an accurate representation of our audiences. This can include the collection of information such as your name, email, date of birth and information about your activity on our website.
Uses of first party data
In the case of services such as Google Optimize or Google Analytics, data is often sampled and is used to collect information about how people behave on our website. Similar to Cookies, this helps us to make informed data-driven decisions and ensure the best possible experience for visitors to our website.
The data that’s collected on our website is behavioural data, for example when you start an application to join CareSuper. This information about you is then linked to an anonymous identifier which is supplied by an advertising network in the form of a third-party cookie. The advertising network then uses this combination to create an anonymous profile of a user (you).
We collect retargeting data
We collect this data to facilitate targeted cross-website advertising across the online advertising network. This allows us to advertise specifically to people who have taken certain actions on our website and serve you more relevant advertisements.
Advertising networks use this data
The data is collected and stored by advertising networks. How each network handles the data differs and each network has its own privacy policies. The information they collect may include the content you view, the date and time that you view this content, or your location information associated with your IP address. They use the information they collect to serve you more relevant advertisements. The advertising network also collects information about where you saw the ads, the ads they served you and what ads you clicked on.
Security and external websites
Security and emails
CareSuper uses your email address to send regular e-newsletters and other electronic communications regarding superannuation, related topics and products. These are sent via a secure server. To help protect your privacy, always be wary of emails asking for confidential information or providing hyperlinks to log-in pages.
If you have provided your email address but no longer wish to receive these communications, please call us on 1300 360 149, or write to us at Locked Bag 20019 Melbourne VIC 3001 or use the unsubscribe facility within the email.
How do I make a complaint?
If you have any concerns about privacy, or you believe that your privacy rights have been breached and you wish to lodge a formal complaint, please contact CareSuper on 1300 360 149. Your complaint will be investigated and dealt with in accordance with CareSuper's complaint procedures, and you will receive a response within 30 days. Where your privacy complaint is not resolved to your satisfaction within this time, you may refer the matter to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted on 1300 336 992 or visit oaic.gov.au/privacy/privacy-complaints.
Review of this Policy
This Policy will be reviewed on a biennial basis by the Trustee (via the Compliance, Audit and Risk Management Committee).