- Purpose of the policy
CPAS is committed to protecting the privacy of personal information obtained through its operations as a professional services firm. CPAS is bound by the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (APPs) and any relevant privacy code registered under the Privacy Act.
- Policy Statement
The 13 Australian Privacy Principles apply to personal information, that is, information or an opinion (whether true or not) relating to an identified individual or which can be used to identify that individual. Please note that information about companies is not personal information. However the principles will apply to an individual who is carrying on a business as a sole trader. My office is subject to policies and procedures that seek to ensure that this organisation complies with the Australian Privacy Principles.
- The kinds of personal information we collect and hold
CPAS collects personal information that is reasonably necessary for, or directly related to, its functions or activities, e.g. audit services, taxation advice and services and similar business activities. The specific types of personal information CPAS may collect and hold includes the following:
- contact details;
- business/mailing address;
- nature of business;
- advice received from the client or prospective client that may contain additional personal information, such as family relationships and other business-related connections;
- qualifications, memberships and other accreditations; and
- financial records.
As set out below, CPAS also collects certain information that is not directly and specifically provided by third parties, such as an IP address, browsing pattern on the site, click stream, and the status of cookies placed on a computer. CPAS does not collect any personal information other than information reasonably necessary for, or directly relating to, the primary purpose for which CPAS has been engaged or may be engaged, or its other functions and activities.
- How we collect personal information
CPAS only collects personal information that has been directly provided to us by our clients or prospective clients, associates of clients, our suppliers or potential suppliers, our employees or potential employees, or is otherwise available in the public domain where this information will assist us with the provision of services to our current and prospective clients. Information may have been provided verbally or in writing (including by email or through web forms).
CPAS may from time to time collect personal information concerning an associate of a client or a prospective client (e.g. a spouse or a child) where it is considered unreasonable or impracticable to seek this same information directly from the associate.
By way of example, we may at times seek personal information such as a name, address, date of birth and similar personal information directly from a client in relation to their associate (for example, their spouse, de-facto partner or their children) where we are satisfied that the associate would not object to the provision of that information to us in order for CPAS to provide services involving that associate.
We also log IP addresses, or the location of computers on the internet to help diagnose problems with our server and to administer the site. If the user prefers not to accept a cookie, they can set their web browser to warn them before accepting any cookies. Alternatively they can refuse all cookies by turning them off in their web browser.
- How we use your personal information
CPAS may at times use and disclose personal information about an individual for the “primary purpose” of collection (i.e. the dominant or fundamental purpose for which that information is collected). As well as providing services to clients, that “primary purpose” includes facilitating our internal business processes, communicating with clients, prospective clients and other external parties, providing ongoing marketing information about our products and services, complying with our legal obligations and dealing with enquiries and complaints.
In certain circumstances, the law may permit or require us to use or disclose personal information for other purposes (for instance where a client would reasonably expect us to and the purpose is related to the purpose of collection).
For tax clients, tax file numbers:
- can be collected by tax agents and accountants;
- can be used only to conduct client’s affairs; and
- can be disclosed only to client and the Australian Tax Office.
Our policy is that we do not collect sensitive information about our clients or prospective clients. If any of our clients or prospective clients elects to provide us with any sensitive personal information, we will take all reasonable steps to ensure that the sensitive information is securely protected.
- Disclosure of Personal Information
Personal information is not disclosed to a third party unless the disclosure is necessary to support the delivery of the client services for which CPAS has been, or is expected to be, engaged, or is required by law. Examples where personal information may be disclosed to a third party include:
- disclosures to our related companies to provide services;
- superannuation details to a fund administrator;
- Tax File Number Declaration to the Australian Taxation Office;
- where CPAS is required by law to provide personal information so that CPAS complies with court orders, subpoenas or other legislation that requires us to provide personal information (for example, a garnishee order).
In certain circumstances, CPAS may also disclose personal information to third party service providers (such as IT service providers) who assist us to administer our business.
Periodically CPAS will, being a CPA branded firm, be subjected to an audit by CPA. At that time the auditor will have access to all files. This disclosure of personal information is notified to clients in the “engagement letter”.
Should it be necessary for CPAS to forward personal information to third parties outside the firm, we will make every effort to ensure that the confidentiality of the information is protected.
- How we store your personal information
CPAS will take all reasonable steps to protect against the loss, misuse and/or alteration of the information under its control, including through appropriate physical and electronic security strategies. Only authorised CPAS personnel are provided access to personal information, and these employees are required to treat this information as confidential. CPAS may need to maintain records for a significant period of time. However, when we consider information is no longer needed, we will destroy or de-identify these records.
Our policy is that all electronic records are only stored within Australia whenever this is commercially feasible. However, on occasion, a limited number of specialist software applications may involve the storage of personal data at an overseas location where a suitable alternative is not available. At present as we use Xero software. The data in Xero is backed up to the Cloud and this data is encrypted and stored at various servers sites around the world.
- Accuracy of personal information
CPAS will take all reasonable steps to make sure that any personal information collected, used or disclosed is accurate, complete and up to date.
If a person believes that the information we hold is inaccurate or out of date, they may contact our Privacy Officer and we will update the relevant information accordingly.
- Access to personal information
Under the Australian Privacy Principles, a person has the right to request access to any personal information that we may hold about them and to advise us if the information should be corrected. The Australian Privacy Principles set out the circumstances when we can refuse those requests. If we do refuse a request, we will provide the person with a written notice that sets out the reasons (unless it would be unreasonable to provide them).
Subject to our right to refuse access, CPAS will provide the person with a report that lists any personal information that we may hold.
Our policy is to provide written acknowledgement of our receipt of any request for access to personal information or a request for correction of personal information within 7 days of the request being received. We will then provide a written response within 30 days of our receipt of the request.
In the event that an individual would prefer to submit a privacy request using a pseudonym or otherwise keep their identity secret, CPAS will do its best to support that request if it is feasible to do so under the circumstances.
- Privacy Enquiries
If you wish to make an enquiry about your personal information at CPAS, or make a complaint because you believe that we may have breached the Australian Privacy Principles or a privacy code that applies to us, please email our nominated Privacy Officer at firstname.lastname@example.org or telephone 0405 097 681.
We will respond to each request within a reasonable time.
If a party has lodged a complaint with CPAS and is not satisfied with our response, they may contact the Commonwealth Information Commissioner.