We have security measures in place and take all reasonable steps to ensure that your information in both hard copy and electronic format is stored in a secure environment and protected from misuse, interference or loss, and from unauthorised access, modification or disclosure.
We have a dedicated Data Governance and Security team that is responsible for our Data Governance Policy, associated systems and processes, and 24/7 monitoring of our networks. This team works with external security specialists to implement multiple measures, including strict data handling protocols.
We also conduct regular audits and tests to ensure these systems and processes are working.
We assess all our external vendors against our extensive set of Security Standards, as required under APRA CPS/CPG 234. Vendors are required to report annually on how they have meet or exceed our standards.
Our administrator, Mercer, arranges for independent audits of their systems and processes to be conducted and provides details of these audits to us. The audit reports are then reviewed by our IT Security Manager or our external expert security consultancy to seek to ensure they align with our standards.
Your personal information is also protected through the use of secure passwords, usernames and different levels of access. At all times, access to your information is restricted to staff who require the information to administer your account and provide information and services to you. It is also restricted through the use of security identification checks performed by staff before any disclosure of personal information over the phone. We train our staff who handle personal information on the importance of protecting the personal information and the privacy of individuals.
In certain circumstances we are required to collect government identifiers such as a tax file number, Medicare number or pension card number. We do not use or disclose this information other than when required or authorised by law or unless you have consented to disclose this information to a third party.
As required under the Privacy Act, when we no longer need the information for any purpose and it is not required under Australian law to retain the information, it is destroyed in a secure manner or deidentified. This includes the secure disposal and erasure of hard copy and electronically stored personal information.