Compliance & Risk Services

Issued 24 November 2022

Our privacy commitment to you

Compliance & Risk Services (“CRS”) is committed to respecting your right to privacy and protecting your personal information.

We are bound by the provisions of the Privacy Act 1988 (Cth), which contains thirteen Australian Privacy Principles which regulate how CRS collects, uses, discloses and keeps secure your personal information.

When you entrust us with your personal information, we know you expect us to protect it and keep it private.

This Privacy Statement and out Privacy Policy dated 1 November 2022, outlines the types of personal information CRS may need and the reasons for its collection, and explains how the information is collected, stored, used and disclosed. It will help you to understand how CRS takes all reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

About CRS

CRS is a boutique consultancy providing bespoke governance, risk, compliance, and strategic advisory services. Our origin and specialty lies in servicing the financial services sector including investment funds, superannuation funds, insurance companies, authorised deposit-taking institutions, non-banking institutions and financial planning practices.

What is personal information?

Personal information is information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Sensitive information is a sub-set of personal information which includes any information or an opinion about your racial or ethnic origin; your political opinions; your membership of a political association, a professional or trade association or a trade union; your sexual preferences or practices; your religious beliefs or affiliations; your criminal record; and your health or disability status (including genetic and biometric information).

What types of personal information is collected and why?

Personal information

Generally personal information is not collected by CRS for the purpose of providing professional services to our clients. However, where we do collect personal information the main types of personal information we collect include names, contact and address details, and job titles. In order to provide ourservices, we may also collect other forms of personal information, such as bank account details. In some circumstances we may also ask you to provide original or certified documentation to verify or support your personal information (such as your driver’s licence, passport or birth certificate).

CRS is required to obtain your consent to collect your personal information (i.e. where it hasbeen solicited directly by CRS). We will seek your consent andcollect personal information directly from you where it is reasonable and practical to do so (for example, when we deal with you in person or over the phone, when you send us correspondence or when you subscribe electronically to our publications).

Sometimes it may be necessary for us to collect your personal information from a third party, such as your personal representative or from a publicly available record. If we collect your personal information from someone else, we will act reasonably to ensure that you have been made aware that the information hasbeen collected, unless certain exemptions under the Privacy Act apply.

The personal information that we collect from or about you isreasonably necessary in order for CRS to perform the following primary functions and activities:

To provide professional services to, and manage our relationship with, clients.
To keep our clients and other contacts informed of our services and industry developments, and to provide notification of events.
For purposes related to the employment of our personnel and contractors.
For the engagement of service providers, contractors or suppliers relating to the operation of our business.
For other business-related purposes.

The personal information that CRS collects from or about you may also be used for secondary purposes such as assisting CRS to develop products and services suitable to our clients.

Sensitive information

There are specific circumstances where CRS may ask for, or collect on your behalf, sensitive information in order to perform a primary function or activity, such as your bank account details in order to make a payment for services rendered into your account.

Sensitive information will only be used and disclosed for the purpose for which it was provided, unless you agree otherwise or disclosure is required or authorised by or under an Australian law or court/tribunal order. We will always seek your express written consent before collecting sensitive information from you or on your behalf.

Information required by law

CRS is required by law to ask you to provide certain personal information. Wherever there is a legal requirement for us to seek information about you, we will inform you of the obligation and the consequences of not providing us with the requested information.

Information provided by a third party

If a third party (e.g. a CRS client) provides us with your personal information, they should only do so if they have your authority or consent to do so or if they are legally permitted or required to do so.

What happens if you don’t provide the information requested?

If you choose not to provide the personal information that we ask for, or the information that you provide to us is incomplete or inaccurate, it may mean that CRS may not be able to complete or fulfil the purpose for which such information is collected, including providing you with the services we have been engaged to perform.

Anonymity and pseudonymity

CRS understands that anonymity and pseudonymity are important elements of privacy and that you may wish to have the option of not identifying yourself, or of using a pseudonym, when dealing with us. CRS will allow you to remain anonymous or to use a pseudonym when dealing with us unless we are required or authorised by or under an Australian law, court or tribunal order to ask you to identify yourself or it is impracticable for us to deal with you unless you identify yourself.

It is generally not practical to remain anonymous or to use a pseudonym when dealing with CRS as usually we need to use your personal information to provide specific services to you, or which relate to or involve you.

How may your personal information be disclosed and why?

Generally, CRS will only disclose your personal information for the purposes for which it was collected.

The organisations and people to whom we may disclose your personal information include:

Experts or other third parties contracted as part of an engagement.
Our service providers and auditors.
Government bodies regulating the affairs of CRS and/or the affairs of our clients, including APRA, ASIC, ATO, AUSTRAC, ASX or AFCA.
If you are an employee, a member, a contractor or a supplier of services to a client, we may disclose your personal information as part of providing services to that client.

Confidential Information

CRS may have access to, or may share, confidential information with clients or contractors in the course of business. In situations where these circumstances may arise, we generally enter into a Non-Disclosure or Confidentiality Agreement with the relevant parties in order to protect the status of any confidential information.

Confidential information is any material that is identified as confidential by the parties to the Non-Disclosure or Confidentiality Agreement.

CRS takes reasonable steps to ensure that the confidential information it holds isprotected against misuse, interference, loss, unauthorised access, modification or disclosure. CRS and its employees and contractors must comply with any Non-Disclosure or Confidentiality Agreements entered into with individual clients. In addition, CRS and its employees and contractors are bound by the standard confidentiality provisions in our Consulting Services Agreements.

Provision of information to third parties

Your personal information will never be added to a general marketing database and is never provided to a third party directly for marketing purposes. CRS does not sell, rent or trade your personal information to or with third parties for the purpose of allowing them to send marketing material directly to you.

Provision of information to overseas recipients

If it is necessary for us to disclose some of your personal information to an organisation outside Australia, we will do so in a manner that isconsistent with the privacy laws.

Opting out of receiving this additional information

If you do not want to receive marketing material from CRS, you can contact us using the details provided below or use the Unsubscribe function on electronic communications.

Storage and Disposal of Personal Information

CRS takes reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

We collect and store your personal information in a combination of secure computer storage facilities and paper-based files and records held in secure platforms and premises.

CRS takes all reasonable steps to de-identify personal information in reports and work generally.

The personal information you provide to us will be retained for as long as necessary to fulfil the purposes for which the information was collected (unless CRS is required to retain the information under an Australian lawor court/tribunal order) and to meet our document retention obligations. On the expiry of the document retention period, CRS will take such steps as are reasonable in the circumstances to de-identify or destroy your personal information, unless it is still required for legal reasons.

Accessing and Correcting Personal Information

Access

You have a right to know what personal information CRS holds about you and to obtain access to it if required. You may request access to your personal information by contacting us using the details provided below. You may need to provide proof of your identity before access is provided. CRS reserves the right to charge a reasonable fee to cover any costs incurred in providing you with access to your personal information.

There are circumstances where CRS is not required to provide, or is prevented from providing, you with access to your personal information. Where access to your personal information has been denied or not provided in the manner reasonably requested, CRS will provide you with a written notice setting out the reasons for our denial of your request (unless having regard to the grounds for the refusal, it would be unreasonable to do so) and the mechanisms available to you to make a complaint about the refusal.

Correction

CRS aims to ensure that your personal information is up-to-date and complete. You have the right to ask CRS to take reasonable steps to correct any personal information that you believe is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is being held. You may need to provide proof of your identity before your information is corrected.

Personal information CRS has disclosed to another organisation will also be corrected at your request unless it is impracticable or unlawful to do so.

If we do not agree with the corrections that you have supplied, we are not required to alter your information. In such circumstances CRS will provide you with a written notice setting out the reasons for our denial of your request (unless having regard to the grounds for the refusal, it would be unreasonable to do so) and the mechanisms available to you to make a complaint about the refusal. We will not charge a fee to correct your information.

Our online services

Our website and CRS-Certus System

When you visit the CRS website and use our CRS-Certus System, we may obtain information from your personal computer. This is done to help us understand who visits our website. This information is not linked to any information you may provide and cannot be used to identify you.

From time to time the CRS’s website and CRS-Certus System may contain links to third parties’ websites. Those other websites are not subject to our privacy policies and procedures. Once you leave the CRS website and the CRS-Certus System the guidelines of this privacy policy no longer apply. You will need to review those websites directly to view a copy of their privacy policies and to ensure your personal information is protected.

Use of your email address

It is our policy to only record and use your email address to communicate with you if you advise us that you wish to receive email communication.

If you have provided your email address but no longer wish to receive electronic communications from us, you can click the Unsubscribe link within the email youreceived or contact us using the details provided below.

Notifiable Data Breach

We will notify you if we become aware that there has been a loss of, and/or unauthorised access to, or disclosure of, your personal information and that loss, unauthorised access or disclosure is likely to result in serious harm to you.

Contacting Us

If you have any questions about this Privacy Policy, if you wish to complain about how CRS has handled your personal information, or if you wish to access or correct the personal information that we hold about you, please contact:

The Managing Director

Compliance & Risk Services Pty Ltd

ACN 101 956 414

Level 25, 360 Collins Street

Melbourne VIC 3000

PO Box 180009 Collins Street

East Melbourne VIC 8003

Email: info@compliancerisk.com.au

If we receive a privacy complaint it will be treated seriously and dealt with promptly and in a confidential manner, and in accordance with CRS’s internal complaints handling procedures. It will not affect our existing obligations to you or affect the commercial arrangements that have been agreed with CRS. You will receive a written acknowledgement ofyour complaint within five business days of its receipt. A written response regarding your complaint will be forwarded to you within 20 business days of its receipt.

If we cannot resolve your complaint, then you may raise your issue with the Office of the Australian Information Commissioner.

All privacy breaches that have resulted in or are likely to result in serious harm to any individual affected are 'eligible data breaches' which must be reported by CRS to the Office of the Australian Information Commissioner. The Office of the Australian Information Commissioner (OAIC):

Director of Compliance (Investigations)

GPO Box 5218

Sydney NSW 2001

Telephone: 1300 363 992

Fax: 02 92849666

Email: enquiries@oaic.gov.au

Additional Information

CRS reserves the right to modify this Privacy Statement and the CRS Privacy Policy from time to time to reflect our current privacy practices. We will notify you of these changes by publishing them on our website – we will not separately notify you ofthese changes.

You may request a copy of this Privacy Policy in a particular form and we will take such steps as are reasonable inthe circumstances to give you a copy in that form, free ofcharge. However, should your request for access in a particular form be declined, or an access charge is imposed, we will explain thisdecision to you.

If you would like more information about how we operate and the professional services that weprovide, please contact us:

Compliance & Risk Services Pty Ltd

Telephone: (03) 9663 5644

Email: info@compliancerisk.com.au

Website: www.compliancerisk.com.au