With the recent spate of data breaches now extending to the financial services industry, Australian financial services licensees (AFSLs) are racing to ensure that their information management procedures are up to scratch.
We recommend considering information broadly, so that your measures cover information in multiple forms, and so that they cover both personal information, as it is understood under the Privacy Act 1988 and confidential information.
The challenge for information management in 2023 is the collision of regulatory and risk management considerations.
Phases of information management
Information management may be divided into four phases: collect, secure, retain and destroy.
• Collect
When deciding what personal information to collect, consider the Australian Privacy Principle (APP) 3, which states that an entity “must not collect personal information unless the information is reasonably necessary for one or more of the entity’s functions or activities”. There are additional requirements for sensitive information. This will be a relevant consideration, for example, for licensees which collect information from individuals in order to provide advice in relation to life insurance.
From a risk management perspective, it is sensible to adopt a similar approach to considering what confidential information to collect in relation to a client which is not an individual, such as the trustee of a self-managed super fund (SMSF). That is, what information is reasonably necessary for one or more of the entity’s functions or activities?
From a regulatory perspective, the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the Corporations Act 2001 require licensees to collect (or record) a range of information in relation to clients. For example, the former requires you to collect information in order to properly identify a client. The latter requires you to collect information to satisfy best interests obligations when providing personal advice to retail clients or when a complaint is made in relation to the licensee’s financial products or services.
• Secure
A number of regimes set out broad security requirements for information held by licensees. For example, APP 11.1 requires an entity holding personal information to “take such steps as are reasonable in the circumstances to protect the information:
a. From misuse, interference and loss; and
b. From unauthorised access, modification or disclosure.”
The Privacy (Tax File Number) Rule 2015 sets out special requirements for protecting tax file number information. These requirements include restricting access to the information.
The whistleblower protections under the Corporations Act prohibit disclosure of information relating to the identity of a whistleblower.
Many contractual relationships with third parties will impose obligations (either via express or implied terms) to keep information confidential.
• Retain
A licensee needs to determine for how long it should keep particular types of information. Minimum recordkeeping requirements are set by the same regulatory regimes which require the licensee to collect information and keep records in the first place.
For example, under the AML/CTF Act, if a reporting entity makes records of the customer identification procedure, or information obtained in the course of carrying out the procedure, in respect of a particular customer, the record (or a copy of it) needs to be kept for seven years after the entity stops providing designated services to the client.
For personal advice given to retail clients, ASIC Class Order [CO 14/923] requires the licensee to keep records of the information relied on to demonstrate compliance with the best interests obligations.
These records must be kept for seven years after the day the personal advice was provided to the client.
Once these minimum timeframes have elapsed, there are other issues to consider. APP 11.2 requires an entity to de-identify and destroy information once the entity no longer requires it for any purpose for which the information may be used or disclosed under the APPs.
Even if statutory retention periods have been met, the licensee should not destroy information if it relates to an existing complaint. And there are explicit obligations not to destroy information that may be used as evidence in legal proceedings.
Plus, the licensee needs to consider litigation risk. Statutes of limitations in the various States provide a defence to actions brought after the expiry of the limitations period.
For example, in contract law or negligence, or for civil remedies under the Corporations Act, this period is six years after the cause of action arises. For breach of contract, any alleged breach will generally occur while the relationship with a client (or other party) is on foot. For actions in negligence, the cause of action arises when the loss occurs. Consider the situation where a personal advice licensee gives advice to a client in 2023 to invest in a product, the product heads south in 2035, and the client sues the licensee in 2036. If the licensee has destroyed its records, it will struggle to defend itself in court.
This all needs to be weighed against cyber security and privacy risk. The more information you collect and the longer you keep it, the more you increase these risks.
• Destroy
This leads us to the final step in the life cycle of information: destroy. Once you have decided on the period for which you will keep particular information, when that period has elapsed, you need to destroy the information. We recommend creating a schedule that guides you on what can be destroyed when. You should build document destruction into your regular processes.
Effective destruction, like information security, will involve the help of qualified IT experts. These experts are no longer a “nice to have” for an AFS licensee but an essential part of your compliance framework.
Samantha Hills is a partner at Holley Nethercote Lawyers.
