INTRODUCTION
Fortnum and its Principal Practices and associated entities, including any Authorised Representatives
(Fortnum Group Members) (collectively, “we” or “us”) take very seriously our obligations under the
Commonwealth Privacy Act (Privacy Act) to protect your personal information. Under the Privacy
Act, we are bound by the Australian Privacy Principles, and in his Privacy Policy, we describe how we
intend to meet our privacy obligations.
PERSONAL INFORMATION
The Privacy Act sets out the information that it protects.
Personal information generally means information or an opinion about a person, where the person
is identified or is reasonably identifiable.
Sensitive information means a person’s health information, genetic information, certain biometric
information and biometric templates. It also means certain personal information, being an opinion
about a person’s:
• racial or ethnic origin;
• political opinions;
• membership of a political association;
• religious beliefs or affiliations;
• philosophical beliefs;
• membership of a professional or trade association;
• membership of a trade union;
• sexual orientation or practices; or
• criminal record
Where in this Privacy Policy we refer to personal information, unless the context requires otherwise
that is a reference to both personal information and sensitive information.
PERSONAL INFORMATION COLLECTED AND HELD
Fortnum and Fortnum Group Members only collect and hold personal information that is relevant
to, and reasonably necessary for, the financial and other services we provide to you. In addition, we
only collect sensitive information if you consent, or in specific circumstances set down in the
Australian Privacy Principles.
The kind of information we will be likely to collect, and hold includes your name, address and
contact details, tax file number, personal medical information, your date of birth and details about
your financial circumstances, goals and strategies.
CONSEQUENCES OF NOT PROVIDING YOUR PERSONAL INFORMATION
You are not obliged to give us your personal information. However, if you decide not to give us
information needed in order to provide you with services, we may not be able to provide those
services to you.
HOW YOUR PERSONAL INFORMATION COLLECTED AND HELD
Fortnum and Fortnum Group Members must collect personal information only by lawful and fair
means. We will usually only collect your personal information directly from you, for example, in
discussion with you or via email. We may collect your personal information from another person if
you consent, if we are required or allowed by law to do so, or if it would be unreasonable or
impracticable for us to have to collect it from you.
For example, it may be necessary to collect personal details from third parties, such as issuers or
operators of financial products or financial services. However, we will endeavour to collect such
information directly from you wherever practicable.
When we collect personal information about you, we will tell you why it is being collected, the
organisations, or the types of organisations, to whom we usually disclose that kind of information,
any law that requires the information to be collected, and the main consequences for you if the
information (or part of the information) is not provided. We will also give you our contact details and
tell you about how you can access the information.
Fortnum uses Salesforce as its cloud-based relationship managed system. Salesforce hosts data
through Amazon Web Services (AWS). The AWS servers are located in Sydney. Salesforce do not own
your data or have access to your data. There are instances where your data is stored within
Salesforce. We have attached a link to the Salesforce Privacy Policy relevant to our instance here:
https://www.salesforce.com/au/company/privacy/full_privacy
In addition, Fortnum uses the Microsoft Office 365 operating system. Portions of your data may be
stored through these systems. Microsoft have confirmed that data is stored in part in Australia and
also the United States of America. We have attached a link to the Microsoft Privacy Policy for your
information: https://www.microsoft.com/en-au/trust-center/privacy
In addition, Fortnum utilises the services of Contractors, who are located in the Philippines and India.
From time to time, we may utilise services of Contractors who are located in other countries.
Your adviser may disclose your personal information to overseas recipients in order to access
services they provide, such as paraplanning and administration. If this is the case, your Adviser or
their Principal Practice will provide you with details, including the relevant countries. If you consent
to this overseas disclosure, it is on the basis that Fortnum has not checked that the overseas
recipient complies with the Privacy Act but rather, this due diligence has been undertaken by the
Principal Practice.
HOW YOUR PERSONAL INFORMATION IS USED
Personal information is collected and held so that Fortnum and your Adviser can provide you with
services you request. This is known as the “primary purpose” for collecting and holding personal
information.
We cannot use or disclose your personal information for any secondary purposes unless certain
circumstances apply. We can use or disclose personal information for a secondary purpose where
you give us your consent to do so, or where:
• the secondary purpose is related to the primary purpose (where the information is
sensitive information, it must be directly related to the primary purpose); and
• you would reasonably expect us to use or disclose the information for the secondary
purpose.
The types of secondary purposes for which we would ordinarily use or disclose your personal
information include contacting you regarding other services that we believe may be of interest to
you.
We may also use or disclose information where such use or disclosure is permitted by the Australian
Privacy Principles. For example, where reasonably necessary to deal with unlawful activity or serious
threats to life, health or safety.
Some primary and secondary purposes will require disclosure of your personal information to third
parties. Some examples of when this would be required include for the purpose of providing you
with services. The likely recipients would be the issuers or operators of financial products or financial
services and providers of office and related services to us. We will require that any third parties to
whom we disclose personal information will only use that information for the purposes for which we
disclosed it to them and on the basis that they will comply with their privacy obligations.
If your Fortnum Group Member moves to another Australian Financial Services Licensee (AFSL), we
may provide your personal information to the other AFSL to enable your Fortnum Group Member to
continue providing you with services. Similarly, if your Fortnum Group Member sells their business
to another financial adviser or AFSL we may provide your personal information to them to enable
them to provide you with services. In the event of either of these things occurring, Fortnum will
notify you in advance and you will have the ability to opt out of this transition.
DATA QUALITY AND PROTECTION
Fortnum and your Fortnum Group Member will take reasonable steps:
• to make sure all personal information we collect is accurate, complete and up-to-date at
all times;
• to make sure all personal information we use or disclose is (having regard to the purpose
of the use or disclosure) accurate, complete up-to-date and relevant at all times.
We will also take reasonable steps to protect your personal information from misuse, interference
and loss, and from unauthorised access, modification and disclosure. Once your personal
information is no longer required by us, we will take reasonable steps to destroy or permanently de[1]identify that personal information, except in circumstances where we are required by law to retain
it.
ACCESS AND CORRECTION
If you think the personal information Fortnum and your Fortnum Group Member hold about you is
not accurate, complete or up-to-date, you should let us know. Also, please let us know any
relevant changes to your personal circumstances as soon as possible.
We will take reasonable steps to correct information where you provide sufficient evidence or we
are otherwise satisfied, having regard for the purpose for which the information is held, that the
information is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will also notify the
correction to other parties to whom we have previously disclosed the information and if such a party
refuses to make a correction, we will notify you of that refusal and how you can make a complaint.
If you require access to personal information we hold about you, please send us an email to
info@fortnum.com.au. We will generally allow access, unless certain exceptions apply under
the Australian Privacy Principles – for example, if we reasonably consider providing access would
pose a serious threat to the life, health or safety of any person, or providing access
would be likely to prejudice action being taken by an enforcement body, or providing access would
be unlawful.
Your request should specify the information to which you require access or which you wish to be
corrected. We will keep a record of your request for and the manner in which it was
dealt with.
We will not charge you for requesting access to, or correction of, your personal information. We
may, however, charge you the costs associated with meeting your request for access, for example
photocopying and postage costs.
We are required to respond to your request for access or correction within a reasonable period, of
receipt of your request.
We will provide you with access in the manner you request, if it is reasonable and practicable to do
so. If we cannot meet your request for access or correction, we will notify you by email and where
reasonable we will give you our reason and take steps to provide you with access. We will also tell
you about how you can complain about our decision.
ANONYMITY
You can contact us anonymously or by using a pseudonym. However, being unable to identify you
will limit the services your Fortnum Group Member can provide you and there may be specific cases
where we are prevented by law from dealing with you unless we identify you.
DATA BREACH
Should a data breach occur, we will notify affected individuals and the Office of the Australian
Information Commissioner (OAIC) of the data breaches that are likely to result in serious harm
within 30 days of the breach event.
The factors which might contribute to a reasonable person thinking “serious harm” might have
occurred include:
• The sensitivity of the information;
• Whether the information was encrypted;
• Whether the information was in a secure file;
• How likely it is that the security could be breached; or
• The identity of the person who obtained the information, whether they intend to cause
harm to the affected person and the nature of the harm.
COMPLAINTS AND FURTHER INFORMATION
If you would like further information about how we handle your personal information, please send
us an email to info@fortnum.com.au.
If you wish to make a complaint in relation to privacy, including a breach of the Australian Privacy
Principles, you can let us know by putting your concerns in writing or by calling us. You can contact
us at:
Complaints Officer (Fortnum)
PO Box R1872
Royal Exchange NSW 1225
By email at complaints@fortnum.com.au or by calling (02) 9904 2792.
Fortnum will investigate your complaint and respond to your concerns as quickly as possible and
within 30 days