- information or an opinion about an individual’s racial or ethnic origin, political opinions or membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices or criminal record;
- health information;
- genetic information that is not otherwise health information;
- biometric templates, or biometric information that is to be used for the purpose of automated biometric verification or biometric identification.
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether that information or opinion is true or not, and whether it is recorded in a material form or not.
Privacy Act means the Privacy Act 1988 (C’lth) as amended.
Russell Investments means all or any of the Russell Investments group of companies in Australia, being Russell Investment Group Pty Ltd, Russell Investment Management Limited, Total Risk Management Pty Ltd, Russell Investments Employee Benefits Pty Ltd and Russell Investments Financial Solutions Pty Ltd.
sensitive information means personal information that is:
TRM solicits personal information if it requests another entity or a person to provide the information or to provide a kind of information in which that personal information is included. Information is solicited in the following situations:
- a completed form or application is submitted by an individual; or
- a complaint letter is sent in response to a general invitation on a Fund’s website about how to make a complaint.
Total Risk Management Pty Limited (TRM) is the trustee of the Russell Investments Master Trust (Fund) and the Russell Investments PST. As a trustee, TRM regularly collects personal information about members and potential non-member beneficiaries of the Fund. Investors in the Russell Investments PST are wholesale investors and accordingly it is unlikely that TRM will hold personal information in relation to investors.
This personal information collected by or on behalf of TRM will be used for the primary purpose of managing and administering the Fund, including the maintenance of records and the determination of entitlement to benefits, the calculation and payment of those benefits and to meet regulatory requirements, such as member communication, reporting, governance and compliance (including, in particular, the requirements of the Anti-Money Laundering & Counter-Terrorism Financing Act 2006).
TRM is committed to maintaining the privacy of individuals whose personal information it collects, in accordance with the Australian Privacy Principles and the Privacy Act.
- manages personal information in an open and transparent way; and
- ensures that its service providers have appropriate practices, procedures and systems that will promote compliance with the Australian Privacy Principles and will enable TRM to deal with enquiries or complaints from individuals about compliance with the Principles;
This Policy provides an overview of TRM’s management of personal information and covers the following matters:
- the kinds of personal information that TRM collects and holds;
- how TRM collects and holds personal information;
- the purposes for which TRM collects, holds, uses and discloses personal information;
- how an individual may access and seek correction of personal information that is held by TRM;
- how an individual may complain about a breach of the Australian Privacy Principles and how TRM will deal with such a complaint; and
- whether TRM is likely to disclose personal information to an overseas recipient and, if so, in what countries the overseas recipients are likely to be located.
Individuals must have the option of not identifying themselves, or of using a pseudonym when dealing with TRM, unless TRM is required or authorised by an Australian law, or an order of a court or tribunal, to deal only with individuals who have identified themselves or it is impracticable for TRM to deal with individuals who have not identified themselves. Given the nature of the dealings with members, TRM considers that it would be impracticable for it to deal with an individual who has not identified himself or herself, given the need to protect personal and confidential information and to minimise the risk of fraud.
TRM will take such steps as are reasonable in the circumstances to make this Policy available free of charge and in an appropriate form. If an individual requests a copy of the Policy in a particular form, TRM will take such steps as are reasonable in the circumstances to provide it in that form.
3.1 Collection of personal information
TRM will not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of its functions or activities as trustee of the Fund.
TRM will collect sensitive information about an individual in the following situations, namely where:
- the information is reasonably necessary for one or more of TRM’s functions or activities and the individual consents to the collection of the information; or
- the collection of the information is required or authorised by an Australian law or an order of a court or tribunal.
TRM will collect personal information only by lawful and fair means.
Consent can be either express, or implied (for example, where a member does not opt out of the potential use of personal information in a particular way). Where consent is requested, the individual will be properly informed of what he or she is consenting to. Generally, TRM will not rely on an individual’s implied consent and will only do so if it considers it to be appropriate in the particular circumstances.
3.2 Unsolicited personal information
If TRM receives personal information about an individual that it did not solicit, it will, within a reasonable period of receipt, determine whether or not it could have collected the information under Australian Privacy Principle 3 had it solicited the information.
If so, then the Australian Privacy Principles and this Policy will apply to the information as if TRM had solicited it.
If TRM determines that it could not have collected the information under Australian Privacy Principle 3 it will, as soon as practicable (but only if it is lawful and reasonable to do so), destroy the information or ensure that it is de-identified.
3.3 How and why TRM collects, holds, uses and discloses personal information
TRM must collect personal information about an individual only from the individual unless it is unreasonable or impracticable to do so.
In practice, TRM receives personal information from a variety of sources. Where personal information is solicited by TRM, it is collected directly from the individual.
When TRM solicits personal information from a potential beneficiary to a death benefit payment from the Fund, it emphasises not only the type of information that is required but also that TRM is requesting information about that individual (and not about other individuals, such as other potential beneficiaries).
When sensitive information is solicited by TRM from a health service provider, in relation to a disablement or permanent incapacity claim by a member or former member, this is done with the express consent of the individual.
When a member first joins the Fund, personal information is generally provided by the prospective member’s employer, as the Fund is the default fund nominated by the employer for the purposes of the choice of fund legislation. TRM considers that this information is not solicited by TRM (given that it has no prior knowledge that the employee is to become a member of the Fund) and that it would be impractical and unreasonable to request the information from the prospective member directly, given that the personal information is generally provided by the employer at the same time as initial contributions for the individual are remitted to the Fund. Other prospective members, such as spouse members and non-standard employer sponsored members provide personal information by completing an application for membership form.
An employer may provide updated personal information about existing members to TRM, but this information is not solicited by TRM.
Unsolicited personal information may also be provided by other entities, including other superannuation funds, Government regulatory authorities and insurers. In some cases, TRM receives unsolicited personal information about an individual from another individual - for example, when TRM is deciding the recipients of a death benefit.
Information is collected from members in a number of forms, including
- in written form (usually signed by the member);
- electronically (via email); and
- verbally or electronically via the IVR, a service representative or the Fund’s website.
Telephone calls to the Fund’s helpline are recorded and stored. Information collected from employers is generally provided to Russell Investments electronically, from the employer’s payroll system.
Like most trustees, TRM has appointed a number of service providers to assist with the management of the Fund. These service providers currently include Russell Investments Employee Benefits Pty Ltd (RIEB) as the provider of benefit administration and consulting services for the Fund, State Street Australia Limited as provider of investment administration and custodial services for the Russell Investments PST, Russell Investment Management Limited as provider of investment management and asset consulting services and various other service providers such as auditors, insurers, claims assessors and legal advisers.
RIEB has outsourced the provision of most administration services to Link Super Pty Ltd (Link Super). Link Super has entered into an agreement with Tech Mahindra Limited and Mindtree Limited (Link service providers) both providers are based in India. The Link service providers are entitled to access the administration records maintained by Link, in order to provide administration and IT services to Link Super.
In most cases, personal information is collected or received by Link Super, as part of the administration services that it provides.
- assurance that each service provider complies with the Privacy legislation and the Australian Privacy Principles; and
- annual confirmation from Russell Investments Employee Benefits that Link Super and the Link Service Providers have maintained and implemented policies and procedures designed to ensure compliance with the Privacy Act.
In order to administer the Funds, relevant personal information about members is collected and stored. This information includes:
- name and contact details;
- date of birth;
- tax file number;
- salary details;
- bank account details;
- employment start date and occupation;
- nominations (eg. of beneficiary) and elections (eg. member investment choice) and
- IP address (when you use the Fund website).
The administrator stores each member’s tax file number (TFN), if the member chooses to provide that information or where it is provided by the member’s employer, pursuant to the Superannuation Industry (Supervision) Act 1993 (SIS).
Sensitive personal information is collected and used to process claims for disablement benefits (relating to the member’s health) and death claims (relating to the individual’s sexual orientation, if relevant to the establishment of dependency).
The administrator collects information about potential beneficiaries (who are not members of the Fund) in order to assess their entitlement to a deceased member’s benefit. This information includes:
- date of birth;
- details of relationship with the deceased member; and
- other relevant details in any particular case, including financial information and information about the individual’s sexual orientation, if relevant to the establishment of dependency.
This information is collected for the primary purpose of the management of the Fund, including the provision of services to members. It is used to provide all relevant administration services, including:
- recording contributions;
- maintaining member records; and
- the determination and payment of benefits from each Fund.
The information may be used for a range of related secondary purposes by Russell Investments, including the provision of general education about superannuation and retirement issues and information about other benefits available to current and former members of the Funds.
When you visit a section of the Fund website hosted by Russell Investments or Link Super we can collect data including your IP address, which may be used to help us determine which pages are most popular, peak usage times and other information to help us make our sites more efficient and easier to use.
We will also set a 'cookie' on your machine (this is a small piece of system information stored on your hard drive) so when you next visit our site it links to your personal information that is stored on our system. If you do not wish us to use a cookie you can set your browser so it will not accept them.
The Fund website may contain links to other sites. We are not responsible for the privacy practices or the content of these websites.
Special rules apply to sensitive information, that includes “health information”.
The administrator collects sensitive information in order to process applications for insurance cover and claims for death and disablement benefits.
For disablement benefits, the administrator collects information such as details of the member’s medical condition (including medical reports), work experience and qualifications. It will generally need to disclose personal and sensitive information to a third party for verification purposes – for example, to a medical practitioner, in order to assess the member’s medical condition. When a member lodges a claim for a disablement benefit, the member is required to complete a privacy consent form, agreeing to the provision of personal and sensitive information to other parties, such as doctors and the insurer.
For death benefits, the administrator obtains details from potential beneficiaries in order to determine the appropriate distribution of the benefit. This may include information about an individual’s sexual orientation, where relevant to the establishment of dependency. The administrator may need to disclose this information to another individual, for verification purposes.
TRM will retain the information it collects for many years, in case a legal dispute arises. If legal proceedings are commenced, TRM may be required to disclose the information to the relevant court or tribunal.
At or before the time it collects personal information (or, if that is not practicable, as soon as practicable after) TRM is required to take such steps (if any) as are reasonable in the circumstances to either:
- notify an individual about whom TRM has collected personal information of specified matters; or
- otherwise ensure that the individual is aware of any such matters.
TRM has adopted the second approach, but also provides tailored information on a number of the forms that a member may complete for a specific purpose, such as an insurance request form.
In relation to members of the Fund, TRM provides the following information in the Product Disclosure Statements and in this Policy as relevant:
- the identity and contact details of the Fund/TRM;
- that TRM collects personal information about members in order to manage the Fund and to comply with legislative requirements, and that this information is often collected from the member’s employer and may also be collected from a medical practitioner or other person if the member has made a claim for a disablement benefit;
- that the collection of certain personal information is authorised or required by the Superannuation Industry (Supervision) Act 1993 and the Anti-Money Laundering & Counter-Terrorism Financing Act 2006 and that Australian courts and the Superannuation Complaints Tribunal may require TRM to collect personal information for provision to the court or Tribunal if proceedings are brought against TRM or a complaint is made about TRM;
- the main consequences for the member if all or part of the personal information is not collected, for example that the member may pay more tax than would otherwise be the case, that TRM may not be able to accept non-concessional contributions or that TRM may not be able to give effect to instructions from the member;
- that TRM may disclose the information to Regulators, other superannuation funds, to service providers such as insurers, the auditor, actuary, administrator and the tax adviser and to a court or the Superannuation Complaints Tribunal;
- whether TRM is likely to disclose personal information to overseas recipients and, if so, the countries in which they are located.
In relation to individuals who are not members of the Fund, such as the dependants or potential dependants of a deceased member or the spouse or former spouse of a member who has sought to exercise rights under the Family Law Act 1975, TRM provides some or all of the foregoing information, as appropriate, when first communicating with the individual.
The organisations and people to which TRM may disclose personal information include:
- TRM’s delegates, service providers (including Russell Investment Group, as the employer of the personnel who provide services to TRM) such as the administrator, actuary, insurer, auditors, tax advisers, underwriters, assessors, legal advisers, custodian, investment managers, consultants, printers, mailing houses and any sub-contractor of a service provider (such as Link Super and the Link Service Providers, in relation to the provision of administration and IT services), medical and other professionals engaged by TRM or an insurer to assist with the processing of disablement claims;
- a member’s employer – for the purposes of updating or confirming the accuracy of TRM’s records and determining benefits or for any other purpose directly associated with the management of the Funds and the performance by TRM of its responsibilities as trustee of the funds;
- a member’s nominated financial adviser or dealer group, unless instructed otherwise by the member;
- Government regulators, including the Australian Tax Office, APRA, AUSTRAC and ASIC;
- other superannuation entities, in relation to benefit transfers;
- potential beneficiaries, in relation to a death benefit distribution;
- a spouse or former spouse of a member, if required by law;
- courts and tribunals.
TRM will not otherwise disclose any personal information that has been collected unless:
- express consent is given by the individual affected; or
- disclosure is required by law.
Members have access to their personal information collected by TRM and are able to advise of any corrections that need to be made to this information. However, there are circumstances in which TRM is not required to give access. Also refer to Australian Privacy Principle 12 Access to Personal Information.
For example, TRM is not required to give access to the extent that:
- giving access would pose a serious threat to the life, health, or safety of any individual, or to public health or public safety;
- giving access would have an unreasonable impact on the privacy of other individuals;
- the request for access is frivolous or vexatious;
- the information relates to existing or anticipated legal proceedings between TRM and the individual and wouldn’t be accessible by discovery in those proceedings;
- giving access would reveal the intentions of TRM in relation to negotiations with the individual in such a way as to prejudice those negotiations;
- giving access would be unlawful;
- denying access is required or authorised by an Australian law, or an order of a court or tribunal;
- TRM has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to TRM’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter;
- giving access would be likely to prejudice enforcement related activities by or on behalf of an enforcement body; or
- giving access would reveal evaluative information generated by TRM in connection with a commercially sensitive decision-making process.
TRM will grant access to personal information only where the individual has given appropriate verification of identification, that may be required to be in writing. TRM will respond to a request for access within a reasonable period and give access in the manner requested, if it is reasonable and practicable to do so.
TRM will take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of TRM and the individual. This may involve giving access through the use of a mutually agreed intermediary.
If TRM refuses access to personal information or has not given access in the manner requested by the individual it will provide written reasons for the refusal (except to the extent that, having regard to the grounds for the refusal, it would be unreasonable to do so) and advise of the mechanisms available to complain about the refusal.
TRM reserves the right to impose a fee for providing access to information, to cover any reasonable costs it incurs.
Personal information about an individual, collected by TRM for a particular purpose (primary purpose), will not be used or disclosed for another purpose (secondary purpose) unless the individual has consented or the following conditions are satisfied:
- the individual would reasonably expect TRM to use or disclose the information for the secondary purpose and that purpose is related to the primary purpose (if the information is sensitive information, it must be directly related to the primary purpose);
- the use or disclosure is required or authorised by or under an Australian law or order of a court or tribunal;
- TRM has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to its functions or activities has been or is being engaged in and TRM reasonably believes that the use or disclosure is necessary for TRM to take appropriate action in relation to the matter;
- TRM reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities by, or on behalf of, an enforcement body (in which case, TRM will make a written note of the use or disclosure); or
- the use or disclosure is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim.
TRM will use or disclose personal information (other than sensitive information) for the purpose of direct marketing only as permitted by the Privacy Principles. This direct marketing will generally be information about superannuation and retirement issues and about services and benefits available to current and former members of the Funds, being information that TRM considers members would expect to receive.
Individuals can elect at any time not to receive further direct marketing information, and TRM will not charge any fee in relation to such a request.
Where TRM uses personal information provided by a member to distribute marketing communications, the communication will include a simple means by which the individual may easily request not to receive further direct marketing communications.
TRM must not disclose personal information to an overseas recipient unless it has taken such steps as are reasonable to ensure that the recipient does not breach the Australian Privacy Principles in relation to the information.
TRM does not disclose information to an overseas recipient directly. However, authorized overseas recipients are able to access certain personal information in certain circumstances for example, the Link service providers who are based in India.
Where State Street provides services for the Fund or the PST, those services (or parts of those services) may be performed in India, China or the United States of America. However, access to a member’s personal information would be limited as they provide services at the overall Fund or PST level.
TRM requires its service providers to ensure that personal information that is authorized to be accessed by overseas recipients is only accessed or used in accordance with the Australian Privacy Principles.
TRM uses a member’s PIN or other personal information or the unique member number to identify a member who wishes to transact with the Fund.
TRM is permitted to request a member’s tax file number and whenever it does so, it will provide information in accordance with the Guidelines issued pursuant to the Privacy Act.
TRM may use a member’s tax file number to locate, in the records or accounts of the Fund, amounts held for the benefit of that member. TRM is also permitted to use a member’s tax file number to facilitate the consolidation of a member’s superannuation in different funds, but only with the consent of the member.
TRM takes reasonable steps to ensure that the personal information that it collects, uses or discloses is accurate, up-to date, complete and relevant and to protect information that it holds from misuse, interference, loss, unauthorised access, modification or disclosure.
Personal information collected by TRM is accessed by its officers, agents (such as service providers), delegates and Russell Investments employees.
TRM outsources various functions to service providers who are required to comply with the Privacy legislation.
Most of the personal information collected by TRM is held by the administrator on the administration system. This system is password protected to minimise the risk of unauthorised access. Personal information in written form is held in appropriately secure locations to minimise unauthorised access.
Access to each member’s information via the Fund’s website is protected by the use of a member number and a PIN or password. Records are kept of visits to various parts of each website, to enable TRM to observe trends and to improve the sites.
Where TRM no longer needs personal information that it holds and it is not required to retain the information, it will destroy the information or ensure that it is de-identified.
If TRM holds personal information about an individual and either:
- it is satisfied that it is inaccurate, out-of-date, incomplete or irrelevant; or
- the individual requests TRM to correct the information,
TRM will take such steps (if any) as are reasonable in the circumstances to correct that information.
TRM will respond to a request from an individual to correct his or her personal information as soon as possible and within a reasonable period and will not charge for making the request or correcting the information.
If the information was disclosed to another entity, then TRM will notify that other entity of the correction, if the individual requests this (unless it is impracticable or unlawful to do so).
If TRM refuses a request to correct personal information, it will provide reasons for the refusal (except to the extent that it would be unreasonable to do so) and notify the individual of the mechanisms available to complain about the refusal. If the individual requests TRM to associate with the information a statement that it is inaccurate, out-of-date, incomplete or irrelevant, TRM will ensure that the records held by the administrator are amended accordingly.
Members can access information about their superannuation fund from the Fund website or by calling the telephone number advised to members in the Product Disclosure Statement.
The Privacy Officer
Total Risk Management Pty Ltd
Level 1, 60 Martin Place
Sydney, NSW 2000
Phone: 02 9229 5111
If you make a complaint to the Privacy Officer, we will investigate the matter and respond to you within a reasonable timeframe.
Where there has been a serious breach of a member’s privacy (i.e. a personal data breach), the Trustee may report the breach to OAIC.
From 22 February 2018 (unless an earlier date is proclaimed by legislation), TRM will be required to notify OAIC and the affected members as soon as practicable where TRM has reasonable grounds to believe that an Eligible Data Breach has occurred.
Eligible Data Breach
An Eligible Data Breach happens where:
- there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
“Likely” means that a reasonable person would be satisfied that the risk of serious harm occurring is more probable than not.
“Serious harm” could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation. It can also include other forms of serious harm that a reasonable person in the Trustee’s position would identify as a possible outcome of the data breach.
Note, while individuals may be distressed at an unauthorised access/loss of their personal information, this may not be sufficient in itself to be considered as resulting in serious harm.
Notification to Members
Where an Eligible Data Breach has occurred, TRM will write to the affected member(s) and advise at a minimum:
- a description of the data breach,
- the kinds of information concerned,
- recommendations about the steps that individuals should take in response to the data breach, and
- contact details should the member(s) require any further information.