FAR Privacy Collection Notice
The Australian Prudential Regulation Authority (APRA) collects personal information, which may include sensitive information, about individuals who are subject, or connected by way of employment or otherwise, to the Financial Accountability Regime (FAR). APRA is required or authorised to collect this information under the Financial Accountability Regime Act 2023 (Cth) (the FAR Act), the Financial Accountability Regime (Consequential Amendments) Act 2023 (the FAR Consequential Amendments Act) or other applicable laws.
This information is primarily collected by APRA through APRA Connect, a dedicated FAR electronic mailbox and during the course of APRA’s general supervisory activities, in each case for purposes which are directly related to or reasonably necessary for APRA to perform the functions and exercise the powers conferred on it under the FAR Act and the FAR Consequential Amendments Act. Terms which are used in this Privacy Collection Notice and which are defined in the FAR Act or the FAR Consequential Amendments Act have the same meaning as set out in those Acts (as applicable), unless the context requires otherwise.
This Privacy Collection Notice forms part of APRA’s Privacy Policy (as may be amended or replaced from time to time) (Privacy Policy), and together they form APRA’s notice under Australian Privacy Principle (APP) 5 for collecting personal information in relation to the FAR. For additional information about APRA’s general personal information handling practices, please refer to APRA’s Privacy Policy.
The Australian Securities and Investments Commission (ASIC) also collects personal information for the purposes of administering the FAR jointly with APRA. Please refer to ASIC’s Collection Notice – FAR and to ASIC’s Privacy Policy for further information.
This Privacy Collection Notice contains information about how APRA handles personal information for the purposes of administering the FAR and sets out how an individual’s personal information can be accessed and corrected. This Privacy Collection Notice also contains information on the storage and security of such personal information and how to contact APRA, including how to make a complaint if it is believed that APRA may have interfered with an individual’s privacy.
Where personal information is submitted to APRA on an individual’s behalf, the person submitting that information must ensure that the relevant individual is aware of and has provided their prior written consent to the provision of the information to APRA, the circumstances of the provision of the information to APRA and the terms of this Privacy Collection Notice and APRA’s Privacy Policy.
What we collect for the purposes of administering the FAR
The personal information APRA collects for the purposes of administering the FAR includes:
- registration and identification data including information collected when a person registers and logs in to use APRA Connect, such as that person’s name, contact details, user ID and password;
- data and information received through the FAR electronic mailbox; and
- data and information which is submitted when using any FAR related form or return through APRA Connect, including any attached document(s), or information which is otherwise provided, such as the following information about accountable persons under the FAR:
- personal identification information including full names, date of birth and director identification numbers (if applicable);
- contact information including phone numbers and email addresses;
- employment information including the person’s position title, their employer’s name and their reporting line information;
- accountability information such as any assigned general or prescribed responsibilities or applicable key functions, corresponding commencement and cessation dates and where relevant, accountability statements and maps; and
- information associated with contraventions of the FAR Act.
How we collect personal information for the purposes of administering the FAR
APRA may collect personal information directly from an individual if that person submits a FAR related form or return (including any attached document) through APRA Connect or provides any personal information by way of email to the dedicated FAR electronic mailbox or during the course of any communication with a relevant APRA staff member, such as an APRA supervisor.
APRA may also collect information about an individual from another entity, body or person. For example:
- an individual’s personal information may be provided to APRA by their employer or their FAR administrator, or another representative or employee authorised to carry out FAR related activities on behalf of the individual’s employer or in connection with the individual’s obligations under the FAR; and
- an individual’s personal information may be provided by another entity, body or person with obligations under the FAR (such as a significant related entity for which an individual is an accountable person, or an investigator appointed under the FAR Act to investigate and report in relation to an accountable entity or a significant related entity where there are reasonable grounds to believe that the relevant entity or an accountable person of the same may have contravened a provision of the FAR Act).
Why we collect personal information for the purposes of administering the FAR
APRA collects the types of personal information described in this Privacy Collection Notice to perform the functions and exercise the powers conferred on it by the FAR Act and the FAR Consequential Amendments Act, and otherwise for the purposes set out in APRA’s Privacy Policy.
This includes:
- registering a person as a user with APRA Connect and maintaining and managing that person’s registration;
- operating and administering APRA Connect;
- registering a person as an accountable person of an accountable entity or significant related entity;
- identifying relevant individuals, including by reference to other information APRA holds;
- maintaining a register of accountable persons for all entities which are subject to the FAR;
- understanding the accountability obligations of an accountable person including all applicable general or prescribed responsibilities and key functions;
- understanding how accountability is managed for all entities which are subject to the FAR;
- performing supervisory activities in connection with the administration of the FAR, and any associated investigation or enforcement activity;
- jointly administering the FAR Act and, where applicable, the FAR Consequential Amendments Act with the Australian Securities and Investments Commission; and
- handling and responding to queries and requests received in relation to the FAR.
If APRA does not collect the personal information which it requires in order to register a person as a user with APRA Connect and to maintain and manage that person’s registration, APRA will be unable to offer use of APRA Connect to that person.
In addition, a failure by an entity which is subject to the FAR to provide relevant personal information may result in APRA being unable to register a person as an accountable person under the FAR and, or, result in a breach by that entity of the FAR.
Use or disclosure of personal information collected for the purposes of administering the FAR
APRA may use or disclose personal information about an individual for the purposes of the FAR in accordance with this Privacy Collection Notice and APRA’s Privacy Policy, and also:
- when APRA makes forms or returns (including any attached documents) submitted through APRA Connect available for access by any person authorised to view them;
- when APRA prefills fields in forms or returns created by any user authorised to do so in APRA Connect;
- to publish on APRA’s website quantitative remuneration data collected under CRS 511.0; and
- for other regulatory and supervisory purposes.
Disclosure of personal information collected for the purposes of administering the FAR to other bodies and agencies
APRA may disclose an individual’s personal information, for the purposes for which APRA collected it, to ASIC for the purposes of APRA and ASIC’s joint administration of the FAR, as permitted or required under the FAR Act, the FAR Consequential Amendments Act or any other relevant legislation. For information about ASIC’s personal information handling practices, please refer to ASIC’s Collection Notice – FAR and to ASIC’s Privacy Policy.
APRA may also disclose an individual’s personal information:
- to service providers who APRA engages to assist it with its activities and functions;
- otherwise as required or authorised by a law of the Commonwealth, State or Territory, including disclosure to other Commonwealth agencies or bodies, State or Territory government agencies or bodies or a court or tribunal; and
- to the public, where personal information is authorised or required to be published in a register that can be searched by the public.
In addition, APRA may disclose an individual’s personal information to a third party in certain circumstances, including where:
- the individual has consented to the disclosure;
- the individual would reasonably expect APRA to disclose the personal information; or
- APRA reasonably believes the disclosure is reasonably necessary for enforcement related activities.
For further information concerning the entities, bodies or persons, or the types of entities, bodies or persons, to which APRA may disclose personal information, please refer to APRA’s Privacy Policy.
Access to and correction of personal information collected for the purposes of administering the FAR
A person is entitled to access any of their personal information which is held by APRA and to seek the correction of that information to ensure it is accurate, up-to-date, complete, relevant and not misleading, subject to some conditions and exceptions imposed by law.
Most of the personal information collected by APRA for the purposes of administering the FAR will be available for access on APRA Connect, and for correction on APRA Connect by way of notification returns which can be submitted by the FAR administrator of the relevant individual’s employer or another representative or employee authorised to carry out FAR related activities on behalf of the employer or in connection with the individual’s obligations under the FAR.
APRA’s Privacy Policy contains additional information about how an individual’s personal information can be accessed and corrected. In particular, where personal information collected and held by APRA for the purposes of the FAR cannot be accessed or updated through APRA Connect (such as a person’s title, date of birth and director identification number), requests for access to or the correction of the personal information can be made in accordance with APRA’s Privacy Policy.
Storage and security of information collected for the purposes of administering the FAR
APRA stores personal information collected for the purposes of administering the FAR in compliance with its obligations under the Commonwealth Protective Security Policy Framework.
The information is securely stored to prevent any loss, interference, misuse or unauthorised access, modification or disclosure. The reasonable steps APRA takes to ensure it complies with APP 11 to secure personal information include password protection and access privileges, audit logs and APRA policies relating to information management and acceptable use of information, as well as information technology.
Information collected by APRA to which the Archives Act 1983 (Cth) applies will be dealt with in accordance with the provisions of that Act.
Contact and complaints
For information on how APRA may be contacted, including information on how to make a complaint and how APRA will deal with such a complaint where APRA is believed to have interfered with an individual’s privacy and breached the APPs, please refer to APRA’s Privacy Policy.