Scope of this Policy
This Policy has been formulated to ensure that Gardior complies with its legal requirements in relation to privacy. Gardior is required to comply with the requirements of the Privacy Act 1988 (the “Privacy Act”). The Privacy Act provides for a legislative framework governing the management of personal information held by Gardior in conducting its business operations. Specifically, Gardior is required to comply with the Australian Privacy Principles (APPs).
This Policy has been reviewed taking into account the Office of the Australian Information Commissioner (OAIC) guidelines (last updated in July 2019) so far as they apply to Gardior and the Gardior Group.
Roles and responsibilities under this Policy
The Gardior Board (the “Board”) has ultimate responsibility for this Policy and Gardior’s compliance with the Privacy Act and APPs. This responsibility includes ensuring that the Policy:
- remains up to date;
- contains content which is clearly expressed;
- is available free of charge and in an appropriate form; and
- is supported by practices, procedures and systems that will ensure Gardior complies with the APPs and is able to deal with related enquiries and complaints.
To ensure the Policy remains up to date, the Board will review the Policy at least annually and more often as required. To assist the review of the Policy and to allow the Board to assess whether the Policy is being effective in achieving its purpose and objectives, the Company Secretary will provide sufficient information as to:
- any changes in regulations or industry practice since the prior review of the Policy;
- confirmation as to whether the operational processes documented in the Policy have been observed and effective in the review period; and
- information as to any breaches of the Policy or privacy breaches in the review period.
Risk, Audit and Compliance Committee (RACC)
The Board has delegated to the RACC to:
- consider any breaches of the Policy and privacy breaches in accordance with the Breach and Incident Management Policy; and
- obtain comfort that Gardior is complying with its regulatory obligations with regards to privacy.
The Board delegates to the Company Secretary the responsibility for the formulation of processes and procedures to ensure Gardior’s operations accord with this Policy.
- ensuring that employees of Gardior are aware of their obligations under the Policy and the procedures which it documents;
- ensuring that third parties with which Gardior shares personal information have adequate processes to manage that personal information;
- ensuring that the collection and storage of personal information is undertaken in accordance with the Policy; and
- ensuring that any breaches of the Policy and privacy breaches are reported and managed in accordance with the Breach and Incident Management Policy
Gardior has engaged an external Compliance Consultant to:
- review this Policy on an annual basis and provide assurance to Gardior that the Policy is aligned to the relevant, current regulatory obligations of Gardior and cover the scope of obligations that Gardior must meet;
- provide assurance to Gardior that the policies and procedures documented in the Policy and in the Gardior Compliance Program contain effective compliance processes and procedures for the purposes of meeting regulatory obligations;
- monitor any changes to the Privacy Act which will require review of this Policy; and
- review reports of breaches of this Policy and Gardior privacy procedures.
Definitions used in this Policy
IPS, Gardior’s Fund Administrator, part of the IFAA group of companies (IFAA).
Australian Privacy Principles
Board of Directors of Gardior Pty Ltd.
The Company Secretary of Gardior Pty Ltd.
An external provider of compliance consultancy services engaged by Gardior.
Director of Gardior Pty Ltd.
Gardior Pty Ltd ABN 71 076 835 955. Gardior is Trustee of TIF.
Investment funds for which Gardior acts as Trustee
Gardior, TIF and its subsidiaries.
Office of the Australian Information Commissioner
Privacy Act 1988
Gardior’s Risk, Audit and Compliance Committee
The Infrastructure Fund, an unregistered managed investment scheme.
Purpose of this Policy
This Policy sets out the Board of Gardior’s policy on the management of personal information about individuals, including the collection, use, disclosure and security of personal information.
The Policy also describes the process to access and correct information that Gardior holds and how to make enquiries or complaints about how Gardior manages the personal information it has collected.
In documenting its approach to the management of personal information, Gardior will ensure that it manages personal information in an open and transparent way and in a manner consistent with the Privacy Act and APPs. Personal information that we hold and how and why we collect it
Gardior collects minimal personal information as Gardior’s investors are incorporated organisations, rather than natural persons. The information collected about such entities may not be subject to the same privacy requirements as personal information.
Gardior collects personal information about representatives of investors or service providers of its investors as required in the normal course of business.
In addition, Gardior may collect personal information regarding Gardior Directors and other individuals employed within the Gardior Group.
Gardior will only solicit personal information where this information is reasonably necessary for Gardior’s functions or activities.
Collection of personal information by service providers
Personal information may be collected in the normal course of business directly by Gardior or on behalf of Gardior by its service providers.
Gardior has outsourced the performance of investment administration and accounting services to Independent Professional Services Pty Ltd (ABN 67 126 760 638), part of the IFAA group of companies (“IFAA”). Gardior also outsources the Investment Management services for Gardior Funds.
All outsourced providers to Gardior undertake to keep personal information confidential and not to use it for any purposes other than those outlined in this Policy.
Personal information may be collected by IFAA in performing Administration services on behalf of Gardior. IFAA collects, uses, discloses and holds onto this information on behalf of Gardior. IFAA staff involved in the collection of information on behalf of Gardior do so in accordance with the Privacy Policies of IFAA and Gardior as well as privacy procedures in place at IFAA to ensure compliance with the Privacy Act.
Process of collection
Gardior will typically only collect personal information directly from an individual. Where personal information is to be obtained from a third party, Gardior will reasonably ensure that it has the consent of the individual to obtain the personal information from the third party.
Gardior will typically collect personal information either by email or by way of a prescribed form prepared for the purpose. When Gardior collects personal information by way of a prescribed form, Gardior will ensure that the form contains a Privacy Statement detailing appropriate information about the purpose of collection and use of the personal information.
The types of personal information that Gardior collects about an individual will depend on the purpose of collection and may include, but not be limited to:
- date of birth;
- directorships and shareholdings;
- employment history;
- place of birth and country of residence;
- proof of identify documents;
- bank account details;
- name of employer and employer’s address;
- telephone number; and
- email address.
Personal information will only be collected by Gardior by lawful and fair means. A ‘fair means’ of collecting information is one that does not involve intimidation or deception, and is not unreasonably intrusive. Lawful means that the collection of information will not be in breach of legislation.
Sensitive personal information
Gardior will not collect sensitive personal information in the normal course of business operations. Were Gardior to be required to collect sensitive personal information, it will:
- ensure that it is clearly demonstrable that the information is required for Gardior’s functions or activities;
- expressly seek the consent of the provider of the information;
- not solicit the sensitive personal information from a third party; and
- take additional steps to ensure that the sensitive personal information is safely stored and only utilised for the express purpose for which it is obtained.
Use of the website
Unsolicited personal information
Unsolicited personal information is personal information received by Gardior where Gardior has taken no active steps to collect the information. From time to time we may receive unsolicited information.
Gardior will ensure that unsolicited information is afforded appropriate privacy protection.
When Gardior receives unsolicited information, it is required to consider whether the personal information is of a type that Gardior would collect in its normal course of business. This is referred to as personal information Gardior can collect. To be personal information which Gardior can collect, it must be personal information of a type which is reasonably necessary for, or directly related to, one or more of Gardior’s functions or activities.
If Gardior receives unsolicited personal information we will:
- consider if we can collect it;
- destroy or de-identify the information if we cannot collect it; and
- if we can collect it, ensure we manage the information in the same way we managed solicited personal information in accordance with this Policy.
Right to anonymity
Providers of information have the right to anonymity or the use of a pseudonym when dealing with us. However, when this occurs, it means we may not be able to disclose any information to that person regarding Gardior that is of a confidential nature i.e. not publicly available.
Access to personal information
Access to personal information is limited to authorised employees of the Gardior Group and its services providers who require access to this information. The information may be disclosed to regulatory agencies to ensure compliance with legal and other regulatory requirements.
Personal information and how we disclose it
Disclosure of personal information
Gardior will only use and disclose the personal information we hold for the following purposes (primary purposes):
- Performing any function in relation to the administration of Gardior Funds or the Gardior Group, or any other service or function required to manage and operate the Gardior Funds on behalf of our investors, by Gardior or its service providers.
- Providing advice to the Gardior Board.
- Considering an application to invest in a Gardior Fund.
- Allowing for the conduct of due diligence and regulatory appointment processes for Gardior Directors and Directors appointed to the boards of companies within the Gardior Group.
- Recruitment and selection processes for Gardior staff members.
- Where required to satisfy due diligence requests for assets of Gardior Funds or existing and prospective investors in Gardior Funds.
- Managing Gardior’s rights and obligation in relation to external parties.
- Developing and identifying products the entity may be interested in.
- Arranging for the provision of products and services to the entity.
We may also use or disclose personal information for the following purposes (secondary purposes):
- Regulator reporting e.g. ATO, ASIC where required by legislation.
- Provide information to the courts in relation to a complaint.
- To assist Gardior in complying with legal and regulatory requirements.
- To assist with administering Gardior, information may be passed on to third parties, who assist Gardior in complying with legal and regulatory requirements.
All of the organisations to which the personal information may be disclosed require appropriate Privacy Policies and systems that adhere to Australian privacy law.
Gardior does not disclose personal information to other organisations for marketing purposes.
If Gardior use or disclose personal information for enforcement related activities, we will make a written record of this.
Disclosure to overseas recipients
Gardior may disclose personal information to an overseas recipient, where doing so is required to perform any function in relation to the administration of Gardior Funds or the Gardior Group, or any other service or function required to manage and operate the Gardior Funds on behalf of our investors, by Gardior or its service providers. Such functions could include opening or maintaining bank accounts with banks based overseas or creating or administering foreign domiciled entities within the Gardior Group.
Gardior will only do this if either:
- We obtain the express consent of the person to provide the information to the overseas recipient and advise you of the potential consequences of doing so; or
- We have taken reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. This may take the form of a Confidentiality Deed or obtaining an undertaking from the recipient; or
- We reasonably believe that the receiving entity is subject to privacy laws which afford similar protections to the Privacy Act; or
- The disclosure is required or authorised by or under an Australian law or a court/tribunal order.
Government related identifiers
A government related identifier is an identifier that has been assigned by an agency, a State or Territory authority, an agent of an agency or authority, or a contracted service provider for a Commonwealth or State contract.
Gardior will only collect government related identifiers that we believe reasonably necessary for one or more of Gardior’s functions or activities. Government related identifiers will be treated as personal information if provided.
Gardior will not adopt a government related identifier of an individual as its own identifier of the individual.
Where Gardior has requested provision of government related identifiers such as tax file numbers in the process of business operations, we will only disclose a government related identifier to a third party in the following circumstances:
- when required by legislation.
- when required by a court order.
- for enforcement related activities.
- in order to facilitate an investment transaction for which the government related identifier was obtained.
- in circumstances where provision of such information is necessary for the day to day administration of Gardior, Gardior Funds or the Gardior Group, and the provider of the government related identifier would reasonably expect such information to be disclosed in the circumstances
Data integrity (quality)
Quality of information
Gardior will take reasonable steps to ensure that the personal information that we hold is accurate, complete and up to date. We will do this by:
- sending to investors a request to update personal information we have collected as regularly as required based on business needs;
- promptly responding to any requests received from properly authorised investor representatives to update the information we hold; and
- updating our information based on documentation or correspondence received from investor representatives in the normal course of business.
Gardior will take reasonable steps to ensure that the personal information that we hold is secure and is protected from misuse, interference and loss, or from unauthorised access, modification or disclosure.
We will do this by ensuring that:
- our IT systems have adequate restrictions to ensure that only staff involved in the provision of services to Gardior, Gardior Funds and the Gardior Group are able to access the personal information we collect;
- our IT systems have proper processes for the storage and back up of data; and
- staff involved in the provision of services to Gardior have received appropriate training on the management of sensitive information.
If Gardior has determined that we no longer need the personal information we have collected about individuals, we will take appropriate steps to destroy the information or ensure it is de-identified.
Eligible data breach notifications
Where Gardior becomes aware of a breach of data security (ie. unauthorised disclosure, access or loss), it will manage the breach in accordance with the processes documented in the Gardior Breach and Incident Management Policy.
Gardior will notify eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and affected individuals in accordance with the requirements of the privacy regulations.
Access to and correction of information
Access to information
Individuals are entitled to access information Gardior holds about them. If an individual wishes to know what information Gardior holds about them, they can contact Gardior in writing, or by phone.
Requests for information can sometimes be answered over the telephone, or a copy of the information can be sent by post.
Individuals cannot access information about any other individual for whom we have collected personal information unless that individual has given written approval to do so.
Under certain circumstances Gardior may not be able to fully disclose what information is held about an individual to that individual. These circumstances could include when:
- provision of the information would have an unreasonable impact on the privacy of other individuals;
- the information relates to legal proceedings with the individual;
- the information would reveal commercially sensitive information; or
- Gardior is prevented by law from disclosing the information.
If this access is requested, Gardior must respond to the request within a reasonable period. Gardior must give access in the manner requested, except where it is unreasonable or impracticable to do so.
If Gardior refuses access, we must provide written reasons that set out:
- the reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
- the mechanisms available to complain about the refusal; and
- any other matters prescribed by the regulations.
We will not charge a fee for making a request or accessing information held.
Correction of information
Gardior seeks to ensure that personal information collected remains accurate, complete and up-to-date.
We may correct the information we have collected if we believe it is inaccurate, out of date, incomplete, irrelevant or misleading. We will do so by ensuring internal processes are adequate to maintain data quality and contact is made with the individual concerned where practical.
If we correct information that we hold that we have also given to a third party (under approved means) we will also request that entity to correct the information.
In certain circumstances, we may refuse to correct the information we hold. Were this to occur we would provide written reasons that set out:
- The reasons for the refusal except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so; and
- The mechanisms available to complain about the refusal; and
- Any other matters prescribed by the regulations.
If we refuse to correct the information, the party from whom the information was collected has the right to ask us to associate with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. Gardior must take such steps as are reasonable in the circumstances to associate the statement in such a way that will make the statement apparent to users of the information.
We must respond to the request to correct the information within a reasonable period and we will not charge a fee for the making of the request, correcting the personal information or for associating the statement with the personal information.
Gardior does not typically use or disclose personal information for the purposes of direct marketing.
Were Gardior to use or disclose personal information for direct marketing, we would only do so where the person providing the information:
- has given their consent;
- would reasonably expect us to use or disclose the information for that purpose and we provide a means of opting out and the person has not requested to opt out; or
- would reasonably expect us to use or disclose the information for that purpose and either consented or it is impracticable to obtain consent and we provide opt out and prominently advise that the person can make such a request.
We will not use sensitive personal information that we hold about individuals for the purposes of direct marketing.
Individuals may request at any time to not receive direct marketing communications from us using any means. If such a request is made, we will not charge a fee for the making of or giving effect to the request.
Complaints handling process
Complaints about a breach of privacy
Privacy breaches are taken seriously by Gardior. If any individual has a complaint about a possible breach of their privacy, the individual should first contact the Gardior Company Secretary.
Contact details for the Company Secretary are:
Address: Level 32, Central Plaza, 345 Queen Street, Brisbane QLD 4000
Telephone: +61 409 496 123
Contact email: Charmaine@gardior.com.au
If the complaint is not resolved, individuals can complain to the Office of the Australian Information Commissioner, telephone 1300 363 992 or visit www.oaic.gov.au
Complaints about handling of personal information
If an individual wants to make a complaint about the handling of their personal information they may write to the Company Secretary using the above contact details.
A response will be provided within 30 days.
If the individual is not satisfied with how we have handled the complaint or if we have not provided a response within 30 days of receiving the written correspondence, the individual may write to the Office of the Australian Information Commissioner. A complaint to the Office of the Australian Information Commissioner can be made by:
- telephone 1300 363 992
- visiting www.oaic.gov.au