Privacy Collection Notice (Prudential Supervisory Activities)
The Australian Prudential Regulation Authority (APRA) collects personal information, which may include sensitive information, as part of its prudential supervisory activities.
This information is collected by APRA by various methods, including via APRA Connect (APRA’s data collection solution for reporting entities), email and SecureDoc, where the information is directly related to or reasonably necessary for the performance by APRA of its functions or the exercise by APRA of its powers under the Australian Prudential Regulation Authority Act 1998 (APRA Act) or other relevant laws (including the “prudential regulation framework laws”, as defined in subsection 3(1) of the APRA Act), or otherwise where the collection of the information is permitted or required by law.
This Privacy Collection Notice forms part of APRA’s Privacy Policy (as may be amended or replaced from time to time) (Privacy Policy), and together this Privacy Collection Notice and the Privacy Policy form APRA’s notice under Australian Privacy Principle (APP) 5 regarding the collection of personal information during the course of APRA’s prudential supervisory activities. For additional information about APRA’s general personal information handling practices, please refer to the Privacy Policy.
This Privacy Collection Notice contains information about how APRA handles personal information collected as part of APRA’s prudential supervisory activities and sets out how such personal information can be accessed and corrected. This Privacy Collection Notice also contains information on the storage and security of such personal information and how to contact APRA, including how to make a complaint if it is believed that APRA may have interfered with an individual’s privacy.
Where personal information is submitted to APRA on an individual’s behalf, the person or entity submitting that information to APRA must ensure that the relevant individual is aware of and has provided their prior consent to the provision of the information to APRA, the circumstances of the provision of the information to APRA and the terms of this Privacy Collection Notice and of APRA’s Privacy Policy.
Personal information which is collected by APRA for the purposes of its prudential supervisory activities
The personal information which APRA collects for the purposes of its prudential supervisory activities includes:
- personal identification information including full names and date of birth;
- contact information including phone numbers, addresses and email addresses;
- employment information including an individual’s position title, the name of their employer and their reporting line;
- information relating to an individual’s meeting attendance, skills, capability and/or work experience, remuneration, entity committee memberships or directorships, political associations and/or trade union associations or any actual, potential or perceived conflicts of interest;
- information associated with contraventions of relevant laws, prudential standards or reporting standards and any action taken in respect of the same; and
- information associated with complaints or comments received in respect of specific entities, including whistleblower reports.
How APRA collects personal information for the purposes of its prudential supervisory activities
APRA collects personal information for the purposes of its prudential supervisory activities by various methods. For example, personal information may be collected by APRA from regulated entities via APRA Connect or SecureDoc, from other regulators or otherwise during the course of its engagement with relevant persons and organisations.
For the purposes of the above, APRA may collect information about an individual from another entity, body or person. For example, an individual’s personal information may be provided to APRA by their employer for the purposes of APRA undertaking its prudential supervisory activities.
Why APRA collects, uses and discloses personal information for the purposes of its prudential supervisory activities
APRA collects, and may use or disclose, the types of personal information described in this Privacy Collection Notice for the purposes of its prudential supervisory activities and otherwise for the purposes set out in APRA’s Privacy Policy, in each case in accordance with this Privacy Collection Notice, the Privacy Policy and applicable laws.
This may include:
- registering a person as a user with APRA Connect and maintaining and managing that person’s registration;
- handling and responding to queries and requests received in relation to APRA’s prudential supervisory activities;
- developing reporting requirements; and
- publishing aggregated data.
If APRA does not collect the personal information which it requires in order to register a person as a user with APRA Connect and to maintain and manage that person’s registration, APRA may be unable to offer the use of APRA Connect to that person.
Disclosure of personal information collected for the purposes of APRA’s prudential supervisory activities to other entities, bodies or persons
APRA may disclose personal information to other Australian or overseas entities, bodies or persons, including to:
- service providers who are engaged by APRA to assist it with its activities and functions;
- other regulators, such as other Commonwealth, State or Territory agencies or bodies, or overseas regulators or other international bodies; and
- courts or tribunals.
APRA may also disclose personal information to other Australian or overseas entities, bodies or persons in certain circumstances, including where:
- the relevant individual has consented to the disclosure;
- the relevant individual would reasonably expect APRA to disclose the personal information;
- APRA is required or authorised to disclose the information under an Australian law; or
- APRA reasonably believes the disclosure is reasonably necessary for enforcement-related activities.
Australian and overseas recipients of personal information may include those with whom APRA has in place a memorandum of understanding or letter of arrangement. For further information, including on the countries in which these potential overseas recipients may be located, please refer to the “Memoranda of understanding and letters of arrangement” page on APRA’s website.
Access to and correction of personal information collected for the purposes of APRA’s prudential supervisory activities
A person is entitled to access any of their personal information which is held by APRA and to seek the correction of that information to ensure it is accurate, up-to-date, complete, relevant and not misleading, subject to some conditions and exceptions imposed by law.
APRA’s Privacy Policy contains information about how an individual’s personal information can be accessed and corrected.
Storage and security of personal information collected for the purposes of APRA’s prudential supervisory activities
APRA stores personal information in compliance with its obligations under the Commonwealth Protective Security Policy Framework.
The information is securely stored to prevent any loss, interference or misuse or unauthorised access, modification or disclosure. The reasonable steps APRA takes to ensure it complies with APP 11 to secure personal information include password protection and access privileges, audit logs and APRA policies relating to information management and acceptable use of information, as well as information technology.
Information collected by APRA to which the Archives Act 1983 (Cth) applies will be dealt with in accordance with the provisions of that Act.
Contact and complaints
For information on how APRA may be contacted, including information on how to make a complaint and how APRA will deal with such a complaint where APRA is believed to have breached the APPs or any applicable registered APP code, please refer to APRA’s Privacy Policy.