Issue date 5 July 2023
ASIC collects personal information about you through the Regulatory Portal to perform the functions and powers conferred on it under the legislation referred to in sections 11 and 12A of the Australian Securities and Investments Commission Act 2001.
This Collection Notice forms part of our Privacy Policy, and together they form our notice for collecting personal information through our Regulatory Portal under Australian Privacy Principle (APP) 5.
Please read our Privacy Policy in full, as it contains additional information on:
- our personal information handling practices, including how we store and secure personal information;
- the purposes for which we collect use and disclose personal information, including in cooperation with law enforcement agencies and foreign regulators; and
- our contact details including how you can access and correct, or lodge complaints about, your personal information.
What we collect through the Regulatory Portal
The personal information we collect through the Portal comprises:
-
Registration and Identification Portal Data – information collected when you register or log in to use the Portal, including your name, contact details (e.g. mobile phone number and email address), date of birth, your user ID and a password; and
- Transactional Portal Data – information collected when you or others submit any form or transaction (including any attached document) or otherwise provide information through the Regulatory Portal, including:
- your or another person’s contact details, date of birth, driver licence details, passport number and visa details,
- your bank account details, business and financial interests including details of your trading in securities, shareholdings and interests in any superannuation funds, and Australian Business Number
- your professional qualifications and details of any banning, disqualification, or convictions or adverse findings by a Court or Tribunal or any other disciplinary bodies
- reports of misconduct, contraventions or suspicious trades
How we collect personal information through the Regulatory Portal
We collect personal information directly from you through the Portal when you:
-
register or login to access and use the Portal; or
-
submit a form or transaction (including any attached document) on the Portal.
We may also collect information about you through the Portal from another person. For example:
- your details may be provided to us by your employer, supervisor, business partner, authorised representative, employee, principal or agent to create and send an invitation key for your activation to register as their authorised user of the Portal, or to link you to their registration or licences.
- your details may be provided for the roles, responsibilities or positions held by you, or specified for you in a form or transaction (including any attached document) submitted by or on behalf of your company or business organisation on the Portal.
- your details may be provided for the role of billing contact for a regulated entity within the Portal.
- your details may be provided by your company, business organisation or a registered company auditor when reporting potential misconduct or complying with their statutory reporting requirements.
- your details may be provided to us by a market participant in relation to any suspicious or irregular trades.
- we may have a record of your personal information (including within any of our registers or in our Regulatory Data Repository) that we may access and use to prefill any form, or to identify any form or transaction, to be submitted by you or another person through the Portal.
- we may collect information about you from other bodies, persons or agencies.
Except where you are reporting potential misconduct or complying with statutory reporting requirements, if you include personal information about another person on the Regulatory Portal, including in a form or transaction (or any attached document) submitted or to be submitted by you, you are required to:
- notify each individual and obtain their prior written consent to your and our respective collection, use and disclosure of their personal information through the Portal; and
-
confirm to us you have done this and can provide a copy of the consent to us on request.
You may use the third party consent form available on the Portal to seek and record their consent.
Where your personal information is disclosed by another user of the Regulatory Portal, including in a form or transaction (or any attached document) submitted by that user, we require that user to:
-
have notified you and obtained your prior written consent to their and our respective collection, use and disclosure of your information through the Portal; and
-
confirm to us that they have done this and can provide a copy of your written consent to us on request.
Why we collect personal information
We collect personal information in the Regulatory Portal in the form of Registration and Identification Portal Data for purposes which include to:
-
register you as a user;
-
manage any change, or perform any other administrative tasks related to your registration or a regulated entity you are connected to;
-
identify you, including by reference to other information we hold;
-
manage your identity and the identity of other users;
-
communicate with you and other users;
-
link a user to a related professional registration or entity;
-
perform the functions and exercise the powers conferred on us under any legislation that we administer;
-
conduct any cooperation with other agencies; and
-
otherwise assist us in interacting more efficiently with you as a stakeholder whose activities are subject to legislation administered by us, or as an authorised representative of another person or entity who is, or whose activities are, regulated by us.
If we do not collect your Identification Portal Data, we are unable to offer use of the Regulatory Portal to you.
We collect personal information for inclusion in the Regulatory Portal in the form of Transactional Portal Data for:
-
the purposes specified in our Privacy Policy, including to:
-
handle reports of suspected misconduct lodged with us, monitor compliance with the laws we administer, and identify, investigate and take enforcement action in relation to contraventions of those laws;
-
carry out our statutory obligations (such as administering our registration and licensing functions, granting relief from regulatory requirements and dealing with unclaimed property);
-
consult with stakeholders, carry out data analytics and consider and determine policy frameworks;
-
cooperate with foreign regulators and law enforcement agencies;
-
deal with and assess complaints about our conduct;
-
calculate levies under the industry funding model;
- invoice leviable entities and other regulated entities for levies and fees and manage payment of invoices;
-
manage our employees, contractors and service providers;
-
enable users to access our online tools and systems; and
-
-
any purposes related to our operation and administration of the Regulatory Portal, including to:
-
identify you and other individuals, including by reference to other information we hold;
-
verify information submitted to us;
-
enable any person authorised by you or your authorised representative, or by your company or business organisation to:
-
access information contained in a form or transaction (including any attached documents) submitted by you or any of them through the Portal; or
-
conduct an activity, or to carry out a purpose, authorised by you or any of them to be conducted through the Portal;
-
-
facilitate and support our delivery and administration ofthe Industry Funding Model under the ASIC Supervisory Cost Recovery Levy Act 2017, the ASIC Supervisory Cost Recovery Levy (Collection) Act 2017, and any related regulations and instruments;
- facilitate and support our delivery and administration of the Financial Services Compensation Scheme of Last Resort under the Financial Services Compensation Scheme of Last Resort Levy Act 2023, the Financial Services Compensation Scheme of Last Resort Levy (Collection) Act 2023, and any related regulations and instruments; and
-
-
cooperate with any Commonwealth, State or Territory law enforcement agencies.
If we do not collect your Transactional Portal Data, we are unable to take the actions listed above, including perform our functions and powers in relation to your submission through the Portal.
Use or disclosure of information
Personal information about you may be used or disclosed in accordance with our Privacy Policy and also by us when we:
-
make forms or transactions (including any attached documents) submitted through the Portal available for access by any person authorised to view them in the Portal;
-
prefill fields in forms or transactions created by any user authorised to do so in the Portal; and
- where required or permitted by law:
- register and publish information in our publicly accessible registers (for example, the Register of Passport Funds maintained by us under the Corporations Act 2001 (as amended by the Corporations Amendment (Asia Region Funds Passport) Act 2018); or
- make forms or transaction (or parts of them) publicly available for inspection and copying; or
- publish information as required by s912DAD of the Corporations Act 2001, about reports of breaches and likely breaches of core obligations of financial services licensees reported to ASIC or APRA during a financial year, and publish information about the entities to which those reports are lodged with ASIC or APRA.
Disclosure and collection involving other bodies and international agencies
We may disclose your personal information for the purposes for which we have collected it, including:
-
to lawyers and other service providers who we engage to assist us with our activities and functions;
-
as required or authorised by a law of the Commonwealth, State or Territory, including disclosure to other Commonwealth agencies or bodies; State or Territory government agencies or bodies; the Australian Securities Exchange; or the courts and tribunals; and
- to the public, where personal information is required to be published in a register that can be searched by the public or in the gazette, or on our website.
We may also disclose your personal information to a third party where:
-
you have consented to the disclosure;
-
you would reasonably expect us to disclose the personal information; or
-
we reasonably believe the disclosure is necessary for law enforcement activities.
We may also disclose, or collect personal information:
-
about you; or
-
about another person identified by you or who is otherwise relevant to you or your activities under an ASIC-administered legislation,
to, or from, other types of bodies or persons that we usually disclose or collect personal information, including:
-
foreign regulators under our international cooperation arrangements with them (for details on our arrangements with foreign regulators, see International Activities);
-
foreign regulators or their authorised representatives, where authorised by laws including the Mutual Assistance in Business Regulation Act 1992 or the Corporations Act (as amended by the Corporations Amendment (Asia Region Funds Passport) Act 2018);
-
foreign or Australian entities (including their authorised representatives) authorised by law to market, offer, provide, or receive any Passport Fund or other approved financial products in Australia, or in a foreign jurisdiction authorised by the applicable law; and
-
foreign law enforcement agencies and regulators in accordance with our Privacy Policy.
If we do not collect your Identification Portal Data and Transactional Portal Data, we are unable to carry out the activities, purposes and functions listed above in this section.
Storage and security of information
We store personal information collected as part of the Registration and Identification Data or the Transactional Portal Data in the Regulatory Portal in compliance with our obligations under the Commonwealth Protective Security Policy Framework.
The information is securely stored to prevent loss, unauthorised access, misuse, modification or disclosure. The reasonable steps we take to ensure we comply with APP 11 to secure personal information include password protection and access privileges, audit logs, warning notices, and ASIC Acceptable ICT Use Policy.
When you de-activate your Regulatory Portal account, or when your company or business organisation terminates or withdraws your authority to access or use your Portal account:
-
you will no longer have access or be able to use it, and you may not seek to access or use the account for any purposes; and
-
we will retain all copies or records that you have submitted through the Regulatory Portal and deal with them (including any destruction as per ASIC’s normal administrative practice) in accordance with the Archives Act 1983 (Cth).
Complaint and breach reporting
If you believe we have breached the APPs, you can submit a complaint in accordance with our Privacy Policy.
We are bound by the Australian Government Agencies Privacy Code registered under the Privacy Act 1988. The Code specifies our key requirements including practical steps to enhance our privacy capability and transparency in information handling practices. Information about how you can access your personal information, or lodge a complaint about our information handling practices under the Code is available at ASIC Privacy.
The Notifiable Data Breaches (NDB) scheme established under The Privacy Amendments (Notifiable Nata Breaches) Act 2017 (Cth) requires us to notify you and provide you with specified information if:
-
there is an actual or suspected data breach involving an unauthorised access, unauthorised disclosure or loss of personal information held by us;
-
the breach is likely to result in serious harm to you; and
-
we have not been able to prevent the likely risk of serious harm with remedial action.
We need not notify you if we have assessed the breach to be minor or unlikely to result in serious harm to you (including as a result of remedial action by us). You can find general information about the NDB scheme under the Privacy Act 1988 at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.