Privacy policy

This policy is intended to ensure that the privacy of individuals is protected in the collection, use, disclosure and storage of personal information by Commonwealth Superannuation Corporation (CSC). This policy is addressed to members, their nominated beneficiaries, advocates, and individuals outside of our organisation including employers, visitors to our offices, visitors to our websites and affiliated services and (together, ‘you’).

CSC [ABN 48 882 817 243, RSE L0001397, AFSL 238069] is responsible for the privacy, confidentiality and security of personal information received by it in the course of its operations. Personal information is protected and kept confidential in accordance with federal legislation, including the Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APPs) under that Act which sets out the standards, rights and obligations for how personal information is collected, stored, used, disclosed, and secured.

CSC is trustee of or administers 11 superannuation schemes, providing superannuation services to current and former Australian government employees and members of the Australian Defence Force (ADF).

CSC's primary function is to manage and invest the funds of the schemes in the best interests of all members and in accordance with the provisions of the various acts and deeds that govern the schemes. CSC's statutory functions are set out in the Governance of Australian Government Superannuation Schemes Act 2011 and scheme legislation and deeds. CSC, as the trustee of the CSS, PSS, MilitarySuper, PSSap and ADF Super is also required to comply with, for example, the Corporations Act 2001 and regulations, tax legislation and regulations, and the Anti-Money Laundering & Counter Terrorism Financing Act 2006.

This policy may be updated from time to time to reflect changes in our procedures with respect to handling of personal or sensitive information, or changes to applicable law. We encourage you to read this policy carefully, and to check this page to review any changes we may make to the terms of this policy. All information about you which is held by us, will be governed by our most recent policy.

What is personal information?

In general terms, the Privacy Act regulates how personal information about an individual is collected and handled. ‘Personal information’ is information or an opinion about an identified individual or an individual who is reasonably identifiable:

• whether the information or opinion is true or not, or
• whether the information or opinion is recorded in a material form or not.

Personal information includes information such as:

• your name or address
• bank account details and credit card information
• photos
• internet clickstream
• cookies data, or
• information about your opinions.

The thirteen APPs in Schedule 1 of the Privacy Act regulate how agencies (including CSC) can:

• collect
• use
• disclose
• store, or
• access

your personal information.

What is sensitive information?

Sensitive information includes information or an opinion concerning an individual’s health, or other personal attributes such as racial or ethnic origin, religious beliefs and membership of political or trade associations.

What personal information is collected, held, used and disclosed by CSC?

The type of personal information that is collected, held, used and disclosed by CSC includes information about superannuation contributions, name and address details, date of birth, salary, employment details, beneficiary details, medical information and contact details.

Sensitive information is collected where consent has been provided and the information is reasonably necessary for one or more of CSC's functions or activities. Sensitive information can also be collected where the collection of information is required or authorised by or under an Australian law or a court/tribunal order.

CSC may also collect identifying data about member activities or interactions with CSC’s online applications, including but not limited to the collection of user locations, number and frequency of access attempts, number, type and frequency of member transactions and pages visited.

It is reasonable to expect that the following information is what we may collect and hold about you. This may include, but is not limited to:

• name, address, date of birth and contact details
• Tax File Number (TFN)
• employment details
• information about your beneficiaries

We collect this information to enable us to administer your superannuation. If you decide not to provide the requested personal information to us, we may not be able to provide important services to you.

How does CSC collect personal information?

CSC may collect your personal information where we are authorised or required by law, where you have consented, or where the information is reasonably necessary for, or directly related to, our functions or activities.

Information is collected directly via email, correspondence, telephone, or gained indirectly through the website. Sensitive information is more likely to be collected, held, used and disclosed in circumstances where a claim for invalidity benefits is being made. In addition, sensitive information may be collected where an insurance or legal claim is being decided or contested, where a reconsideration of a decision is sought either internally or through the Australian Financial Complaints Authority (AFCA).

Other than when provided directly by you, sensitive information is primarily provided to CSC through external service providers, such as scheme administrators, employers, insurers, other Government agencies (such as DVA or Defence) or by external dispute resolution bodies (such as the AFCA).

We collect personal information from you through our dealings with you and as part of providing our superannuation products and services. The personal information we collect will depend on your interactions with us, and the choices you make, including your communication preferences and the products and services you choose. We may also obtain personal information from you from third parties.

The general way we collect personal information about you is when you give it to us (for example, when you contact us), however we may also collect personal information when:

• you or your employer contact us (e.g. if we provide a superannuation product or service to you through your employer)
• you roll over your superannuation benefits (either into CSC or to another superannuation fund)
• you visit our website, complete an online form on our website or use our online services
• you attend our member seminars, our Annual Member Meetings, or other CSC hosted events
• you visit our offices
• you select communication preferences to receive publications and other marketing information (see Disclosure for market research section for more information)
• other representatives, authorised by you to act on your behalf (e.g. financial advisor, lawyer, power of attorney, advocate) prove us information.

We may also receive or share personal information about you for the purposes of administering your account from government agencies (including but not limited to your employer, the ATO, Services Australia, Department of Veterans’ Affairs, Department of Defence).

How does CSC store and protect information?

CSC and its service providers take reasonable steps to protect your personal information against misuse, loss, unauthorised access, modification or disclosure.

These steps include:

• Access to personal information is on a need-to-know basis, by authorised personnel
• Our premises have secure access
• Storage and data security systems and protections are regularly updated and audited.
• Technology, for example, restriction of access, firewalls, the use of encryption, user logons, passwords and multi-factor authentication (known as MFA).

CSC stores and holds your information in hard copy format and/or electronically on site and with third party storage providers, including on servers of third parties within Australia. CSC has agreements with its storage providers to keep all personal information they store secure, using appropriate security methods.

All records are handled and stored in accordance with the Australian Government Protective Security Policy Framework. When no longer required, personal information is destroyed in a secure manner, or archived or deleted in accordance with our obligations under the Privacy Act and Archives Act 1983.

CSC may combine personal information we receive about you with other information we hold about you. This includes information received from third parties such as employers. As far as reasonably practicable, we will make sure that our relationships with third parties include appropriate protection of your privacy.

Personal information is collected, held, used and disclosed as required or authorised by law, for the purpose of managing the superannuation schemes. This includes the management of superannuation investments, providing superannuation products, services and information to members, administration of the superannuation schemes and payment of benefits, conducting market research and product development in the interests of scheme members.

CSC may also collect, hold, use and disclose information to and from a complaints authority or tribunal where required. CSC is required, if requested in accordance with the requirements of the Family Law Act 1975, to provide information about a member’s interest in a superannuation fund to their spouse or a person who intends to enter into an agreement with the member about splitting their superannuation interests in the event of marriage breakdown. The request must be in a form prescribed by law. The law prevents us from telling the member about any such request.

Disclosure to and from third parties

We may disclose your personal information to third parties for legitimate reasons, if you have consented to it, or if we are required by law to do so. It is reasonable for you to expect this information may be shared with:

• our related entities
• our legal advisors and auditors
• employers or former employers
• legal or regulatory authorities (e.g. police, regulators such as ASIC or APRA)
• our service providers (for more information see below)
• medical, health, and wellbeing professionals
• a person authorised to act on your behalf (such as power of attorney, advocate or adviser)
• government agencies (such as Services Australia, ATO, Department of Veterans’ Affairs, Department of Defence)
• international agencies or companies with your consent (e.g. KiwiSaver Fund)
• other organisations or superannuation funds (e.g. a superannuation fund you are transferring into or out of),
• any relevant third party or court, as required by law (such as your spouse or former spouse as required by a court order under the Family Law Act 1975 (Cth).

Personal information is primarily provided to CSC directly or through your employer or other external service providers:

• Mercer Administration Services (Australia) Pty Limited (MASAPL) [ABN 48 616 274 980, AFSL 245591] provides scheme administration services for PSSap and ADF Super. This includes processing contributions and benefit payments and administering member accounts. MASAPL’s privacy policy is available at Mercer Australia Privacy Policy.
• AIA Australia Limited (AIA) [ABN 79 004 837 861, AFSL 230043] provides group insurance benefits to certain PSSap and PSS members. AIA's privacy policy is available at AIA AustraliaPrivacy Policy.
• Guideway Financial Services Pty Ltd (Guideway) [ABN 46 156 498 538, AFSL 420367] enables CSC financial planners to deliver a financial advice service to our members. This includes authorising CSC employees to provide financial advice. Guideway’s privacy policy is available at Guideway Privacy Policy.
• Australian Financial Complaints Authority (AFCA) provides free, fast and binding dispute resolution to consumers and small businesses. AFCA’s privacy policy is available at AFCAPrivacy Policy.
• The Office of the Australian Information Commissioner (OAIC) oversee government information policy functions. The Information Commissioner reports to the Attorney-General on matters relating to Australian Government information management policy and practice, including FOI and privacy. The OAIC’s privacy policy is available at OAIC Privacy Policy.
• The Commonwealth Ombudsman (Ombudsman) provides assurance that the Australian Government entities and prescribed private sector organisations the Ombudsman oversights, act with integrity and treat people fairly influence enduring systemic improvement in public administration in Australia and the region. The Ombudsman’s privacy policy is available at Ombudsman Privacy Policy.

MASAPL, AIA, Guideway, AFCA, OAIC and the Ombudsman may pass on personal information to CSC for the purpose of managing the superannuation schemes and member accounts and providing superannuation and dispute resolution services to members.

Personal information is provided to these service providers or to CSC directly from the member themselves, a third party associated with the member such as an adviser or family member under a power of attorney (consent is obtained from the member in these circumstances) or through an eligible employer.

Disclosure for market research

CSC may conduct research to find out what you think about a range of issues including the services we deliver. We will do this in accordance with the Spam Act, Do Not Call Register Act and the Privacy Act. If we use your sensitive information for the purpose of direct marketing, we will only do so with your express consent. The results of research help CSC improve the services we provide to members. CSC contracts with external companies to conduct this research. Where the research is related to our services, we may provide your contact details to those companies. If we do disclose your contact details, the company is contractually required to keep your information secure.

Results of market research activities do not reveal the identity of participants or link the feedback or comments provided to them. Participation in market research will not affect the services you receive from CSC. A decision not to participate in market research will not affect the services CSC provides to you. CSC will not release your personal information to any person unless the law requires it, or your permission is given.

You have the right to opt-out of market research communications. You may elect to opt-out of market research communications by the details provided in this policy or by using the relevant opt-out facilities provided in each communication (e.g. an unsubscribe link).

Is CSC likely to disclose personal information to overseas recipients?

CSC generally does not disclose personal information to overseas recipients unless we need to do so for the purposes of administering your account. Where permitted by law, CSC’s scheme administrators may disclose personal information for the international transfer of superannuation benefits. For members with relevant transferred funds, the information disclosed may include their name, date of birth, principal address and national insurance number (or unique tax reference).

CSC takes all reasonable steps to ensure that the overseas recipients of your personal information do not breach the privacy obligations relating to your personal information.

Collection of information via website activity

When our website is visited, certain information is collected to allow us to change and improve our websites and online services. Typically, this information consists of:

• what pages are visited
• what day and time they are visited
• how often the site is visited, and
• what browsers are used.

When using the online services provided by CSC or MASAPL, all information passing between a personal computer and the secure section of our website is encrypted to enhance its security. While we endeavour to provide a secure environment, there are inherent security risks associated with communicating over the internet. We provide alternative means of communication including direct contact via telephone, facsimile, or post if preferred.

Data breaches

We must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals if we become aware that there are reasonable grounds to suspect an eligible data breach has occurred. We have policies and procedures in place to identify and assess data breaches and to notify OAIC if required.

Collection of personal information concerning children

CSC collects personal information concerning children for the purposes of assessing eligibility to receive a benefit. Information is collected, held, used and disclosed in accordance with this policy.

Accessing and correcting your information

CSC takes steps to ensure that the personal information we collect is accurate, up to date and complete. These steps include maintaining and updating personal information when we are advised by individuals their personal information has changed, and at other times as necessary.

Information we hold about you should be kept up to date and accurate. Please advise us of any changes to your information. Customers of the superannuation schemes managed by CSC may request access to information held about them under the Privacy Act and the Freedom of Information Act 1982.

Under the Privacy Act you have the right to ask for access to personal information that we hold about you and ask that we correct that personal information. We may require proof of identity before we can give any effect to any of these rights. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take responsible steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.

Find out more about accessing your personal information.

Staff, job applicants and contractors

Your personal information is protected by law, including the Privacy Act and the APPs, and is collected by CSC to determine your suitability for an advertised vacancy. Your application for employment cannot be considered without the collection of this personal information. Personal information can only be accessed by relevant CSC staff and recruitment service providers, which may include CSC’s recruitment team, the People team and selection committee members who are conducting the selection process. Relevant information may also be disclosed to previous employers or other agencies or persons as part of a preemployment check. The check establishes your identity, eligibility and suitability for employment.

Personal information is stored in a cloud-based service that is based in Australia and will not be stored overseas. If you are deemed suitable and placed in a talent pool, your information may be used for subsequent recruitment processes if a suitable position becomes available.

Enquiries and complaints 

If you have any comments, questions or concerns about information and data privacy or would like to make a complaint about a breach of your privacy, please visit our website. We will endeavour to respond or resolve your complaint as quickly as possible.

If you consider that CSC has interfered with your privacy, you should first make a complaint to CSC by using our complaints handling process by calling 1300 033 732 or email customer.care@contact.csc.gov.au, generally allowing 30 days for a response.

Upon receipt of your complaint, CSC will:

• gather the facts relevant to the complaint
• investigate the issues raised and consider how your request regarding outcomes can be met
• communicate our response to you in person and in writing, and invite you to reply to our response
• identify any systemic issues raised and possible responses, and
• record your complaint and outcome. 

How to make a complaint to the OAIC

You can obtain further general information about your privacy rights and privacy law from the Office of the Australian Information Commissioner (OAIC). If you are not satisfied with CSC’s response to your complaint, you may make a complaint to the OAIC. Where appropriate, the Commissioner can make preliminary enquiries into the matter, investigate and/or attempt to resolve the complaint by conciliation.

In some circumstances, the Commissioner may decline to investigate complaints. If a complaint is not resolved, the Commissioner may make a determination about whether an interference with privacy has occurred.

More information about the Commissioner’s privacy complaint handling process can be found online. 

The contact details for OAIC are:

• Post: Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001
• Telephone: 1300 363 992
• Email: enquiries@oaic.gov.au
• Website: http://www.oaic.gov.au