You are here:

Privacy Policy

1 Introduction 

1.1 From time to time MKS Group Pty Ltd (“the Company“) is required to collect, hold, use and/or  disclose personal information relating to individuals (including, but not limited to its customers,  contractors, suppliers and employees) in the performance of its business activities.  

1.2 The information collected by the Company will, from time to time, be accessible to certain individuals  employed or engaged by the Company who may be required to use the information in the course of  their duties.  

1.3 This document sets out the Company’s policy in relation to the protection of personal information, as  defined, under the Privacy Act 1988 (Cth) the (“Act“), which includes the Privacy Amendment  (Notifiable Data Breaches) Act 2017 (Cth) and the Australian Privacy Principles (“APP“). The APPs  regulate the handling of personal information. 

1.4 The obligations imposed on the Company under this policy are also imposed on any individual  employed or engaged by the Company (“employees”). 

1.5 This policy outlines the Company’s requirements and expectations in relation to the handling of  personal information.  

2 Scope 

2.1 This policy applies to all employees, independent contractors, consultants and other workers engaged  by the Company and who have access to personal information in the course of performing their duties.  

3 What is personal information? 

3.1 Personal information means information or an opinion (including information or an opinion forming part  of a database), whether true or not, and whether recorded in material form or not, about an individual  whose identity is apparent, or can reasonably be ascertained, from the information or opinion. 

3.2 We may collect personal information supplied to us such as a client or prospective client’s name, age,  date of birth, address, tax file number, banking details and other contact details. We may also collect  sensitive information from clients with their consent (in specific circumstances). 

4 What is not personal information?  

4.1 This policy does not apply to the collection, holding, use or disclosure of personal information that is  an employee record as they are exempt from the APPs.  

4.2 An employee record is a record of personal information relating to the employment of an employee.  Examples of personal information relating to the employment of the employee include, but are not  limited to, health information and information about the engagement, training, disciplining, resignation,  termination, terms and conditions of employment of the employee.  

4.3 Employees (such as those engaged in a supervisory, operations or human resource capacity) will  have access to employee records. Employees who have access to employee records must ensure  that the information is handled confidentially and for a proper purpose only. Employee records are only  permitted to be collected, used and disclosed where the act of doing so is directly related to a current  or former employment relationship.  

4.4 Employees who have access to employee records and who may have a question about the use or  disclosure of employee records, should contact the CEO.

5 Kinds of information that the Company collects and holds 

5.1 The Company collects personal information that is reasonably necessary for one or more of its  functions or activities or if the Company has received consent to collect the information. If the  Company collects sensitive information (as defined below), the Company must also have obtained  consent in addition to the collection being reasonably necessary.  

5.2 The type of information that the Company collects and holds may depend on an individual’s  relationship with the Company, for example:  

i. Candidate: if a person is a candidate seeking employment with the Company, the  Company may collect and hold information about that candidate including the candidates  name, address, email address, contact telephone number, gender, age, employment  history, references, resume, medical history, emergency contact, taxation details,  

qualifications and payment details. 

ii. Client: if a person is a client or prospective client of the Company, the Company may  collect and hold information including their name, address, email address, contact  telephone number, gender and age and other sensitive information such as tax file  number and banking details. 

iii. Supplier: if a person or business is a supplier of the Company, the Company may collect  and hold information about the supplier including the supplier’s name, address, email  address, contact telephone number, business records, billing information and information  about goods and services supplied by the supplier. 

iv. Referee: if a person is a referee of a candidate being considered for employment by the  Company, the Company may collect and hold information including the referee’s name,  contact details, current employment information and professional opinion of candidate. 

v. Sensitive information: the Company will only collect sensitive information where an  individual consents to the collection of the information and the information is reasonably  necessary for one or more of the Company’s functions or activities. Sensitive information  includes, but is not limited to, information or an opinion about racial or ethnic origin,  political opinions, religious beliefs, philosophical beliefs, membership of a trade union,  sexual preferences, criminal record, health information or genetic information. 

6 How the Company collects and holds personal information 

6.1 The Company (and the employees acting on the Company’s behalf) must collect personal information  only by lawful and fair means.  

6.2 The Company may collect personal information in a number of ways, including without limitation:  

i. through application forms (e.g. job applications, finance / loan applications, fact find for  financial planning / SMSF Advice services); 

ii. by email or other written mechanisms; 

iii. over a telephone call; 

iv. notes from face-to-face meetings; 

v. through transactions; 

vi. through the Company website; 

vii. through lawful surveillance means such as a surveillance camera;  

viii. by technology that is used to support communications between individuals and the  Company;  

ix. through publicly available information sources (which may include telephone directories,  the internet and social media sites); and 

x. direct marketing database providers. 

6.3 When the Company collects personal information about an individual through publicly available  information sources, it will manage such information in accordance with the APPs. 

Policy – Privacy 

6.4 At or before the time or, if it is not reasonably practicable, as soon as practicable after, the Company  collects personal information, the Company must take such steps as are reasonable in the  circumstances to either notify the individual or otherwise ensure that the individual is made aware of  the following:  

i. the identity and contact details of the Company; 

ii. that the Company has collected personal information from someone other than the  individual or if the individual is unaware that such information has been collected;  

iii. that collection of personal information is required by Australian law, if it is; 

iv. the purpose for which the Company collects the personal information; 

v. the consequences if the Company does not collect some or all of the personal  information; 

vi. any other third party to which the Company may disclose the personal information  collected by the Company; 

vii. the Company’s privacy policy contains information about how an individual may access  and seek correction of personal information held by the Company and how an individual  may complain about a breach of the APPs; and 

viii. whether the Company is likely to disclose personal information to overseas recipients,  and the countries in which those recipients are likely to be located.  

6.5 Unsolicited personal information is personal information that the Company receives which it did not  solicit. Unless the Company determines that it could have collected the personal information in line  with the APPs or the information is contained within a Commonwealth record, it must destroy the  information to ensure it is de-identified unless the Company determines that it is acceptable for the  Company to have collected the personal information.  

7 Use and Disclosure of Personal Information  

7.1 The main purposes for which the Company may use and/or disclose personal information may include  but are not limited to:  

i. recruitment functions; 

ii. client service management; 

iii. training and events; 

iv. surveys and general research; and 

v. business relationship management. 

7.2 The Company may also collect, hold, use and/or disclose personal information if an individual  consents or if required or authorised under law. 

7.3 Direct marketing:  

i. the Company may use or disclose personal information (other than sensitive information)  about an individual for the purpose of direct marketing (for example, advising a client about new goods and/or services being offered by the Company);  

ii. the Company may use or disclose sensitive information about an individual for the  purpose of direct marketing if the individual has consented to the use or disclosure of the  information for that purpose; and  

iii. an individual can opt out of receiving direct marketing communications from the Company  by contacting the Privacy Officer in writing or if permissible accessing the Company’s  website and unsubscribing appropriately. 

8 Disclosure of Personal Information 

8.1 The Company may disclose personal information for any of the purposes for which it is was collected,  as indicated under clause 6 of this policy, or where it is under a legal duty to do so.  

8.2 Disclosure will usually be internally and to related entities or to third parties such as contracted service 

Policy – Privacy 


8.3 If an employee discloses personal information to a third party in accordance with this policy, the  employee must take steps as are reasonable in the circumstances to ensure that the third party does  not breach the APPs in relation to the information. 

9 Access to personal information 

9.1 If the Company holds personal information about an individual, the individual may request access to  that information by putting the request in writing and sending it to the Privacy Officer. The Company  will respond to any request within a reasonable period, and a charge may apply for giving access to  the personal information where the Company incurs any unreasonable costs in providing the personal  


9.2 There are certain circumstances in which the Company may refuse to grant an individual access to  personal information. In such situations the Company will provide the individual with written notice that  sets out:  

i. the reasons for the refusal; and 

ii. the mechanisms available to you to make a complaint. 

9.3 If you receive such a request, please contact the CEO. 

10 Correction of personal information 

10.1 If the Company holds personal information that is inaccurate, out-of-date, incomplete, irrelevant or  misleading, it must take steps as are reasonable to correct the information. 

10.2 If the Company holds personal information and an individual makes a request in writing addressed to  the Privacy Officer to correct the information, the Company must take steps as are reasonable to  correct the information and the Company will respond to any request within a reasonable period. 

10.3 There are certain circumstances in which the Company may refuse to correct the personal  information. In such situations the Company will give the individual written notice that sets out:  

i. the reasons for the refusal; and 

ii. the mechanisms available to the individual to make a complaint. 

10.4 If the Company corrects personal information that it has previously supplied to a third party and an  individual requests the Company to notify the third party of the correction, the Company will take such  steps as are reasonable to give that notification unless impracticable or unlawful to do so. 

10.5 If you receive such a request, please contact the CEO. 

11 Integrity and security of personal information 

11.1 The Company will take such steps (if any) as are reasonable in the circumstances to ensure that the  personal information that it collects is accurate, up-to-date and complete.  

11.2 Employees must take steps as are reasonable in the circumstances to protect the personal  information from misuse, interference, loss and from unauthorised access, modification or disclosure. 

11.3 If the Company holds personal information and it no longer needs the information for any purpose for  which the information may be used or disclosed and the information is not contained in any  Commonwealth record and the Company is not required by law to retain the information, it will take  such steps as are reasonable in the circumstances to destroy the information or to ensure it is de identified. 

Policy – Privacy 

11.4 If you are unsure whether to retain personal information, please contact the CEO or Director/s to  discuss. 

12 Data Breaches and Notifiable Data Breaches 

12.1 A “Data Breach” occurs where personal information held by the Company is accessed by, or is  disclosed to, an unauthorised person, or is lost. An example of a Data Breach may include:  

i. Lost or stolen laptops or tablets;  

ii. Lost or stolen mobile phone devices;  

iii. Lost or stolen USB data storage devices;  

iv. Lost or stolen paper records or documents containing personal information relating to the  Employer’s customers or employees; 

v. Employees mistakenly providing personal information to the wrong recipient (i.e. payroll  details to wrong address);  

vi. Unauthorised access to personal information by an employee;  

vii. Employees providing confidential information to the Employer’s competitors;  viii. Credit card information lost from insecure files or stolen from garbage bins;  ix. Where a database has been ‘hacked’ to illegally obtain personal information; and x. Any incident or suspected incident where there is a risk that personal information may be  misused or obtained without authority.  

12.2 The Company must carry out a ‘reasonable and expeditious’ assessment as soon as a data breach or  suspected data breach is identified. 

12.3 There are three key steps to take in any assessment of a data breach in which Management will use to  assess data breaches: 


Decide whether an assessment is necessary and identify which person or group will be  responsible for completing it 


Quickly gather relevant information about the suspected breach including, for example, what  personal information is affected, who may have had access to the information and the likely  impacts. 


Make a decision, based on the investigation, about whether the identified breach is an eligible  data breach. 

12.4 If you are aware of or reasonably suspect a Data Breach, you must report the actual or suspected  Data Breach to the CEO as soon as reasonably practicable and not later than 24 hours after becoming  aware of the actual or suspected Data Breach. 

12.5 A “Notifiable Data Breach” occurs where there is an actual Data Breach, and: 

i. a reasonable person would conclude that the unauthorised access or disclosure would  likely result in serious harm to the relevant individual (including harm to their physical or  mental well-being, financial loss, or damage to their reputation); or 

ii. in the case of loss (i.e. leaving an unsecure laptop containing personal information on a  bus), unauthorised access or disclosure of personal information is likely to occur as a  result of the Data Breach, and a reasonable person would conclude that the unauthorised  access or disclosure would likely result in serious harm to the relevant individual 

(including harm to their physical or mental well-being, financial loss, or damage to their  reputation).

Policy – Privacy 

12.6 A Notifiable Data Breach does not include a Data Breach where the Company has been successful in  preventing the likely risk of serious harm by taking remedial action.  


12.7 If the Company is aware of any actual or suspected Data Breach, it will conduct a reasonable and  expeditious assessment to determine if there are reasonable grounds to believe that the Data Breach  is a Notifiable Data Breach or not.  


12.8 Subject to any restriction under the Act, in the event that the Company is aware of a Notifiable Data  Breach, the Company will, as soon as practicable, prepare a statement outlining details of the breach and notify:  

i. the individual whose personal information was part of the Data Breach ; and 

ii. the Office of the Australian Information Commissioner. 

13 Anonymity and Pseudonymity 

13.1 Individuals have the option of not identifying them self, or using a pseudonym, when dealing with the  Company in relation to a particular matter. This does not apply:  

i. where the Company is required or authorised by or under an Australian law, or a  court/tribunal order, to deal with individuals who have identified themselves; or 

ii. where it is impracticable for the Company to deal with individuals who have not identified  themselves or who have used a pseudonym.  

13.2 However, in some cases if an individual does not provide the Company with the personal information  when requested, the Company may not be able to respond to the request or provide you with the  goods or services that you are requesting.  

14 Systems 

14.1 The company uses a system software to prevent cyber crime. Practice Protect (system software) has  been configured for all Company users for all web based applications used in our business. It is our  firm policy that passwords are randomly generated and are 16 characters in length (where the  application allows) to ensure best practice to protect the Company and employers from cyber attacks  (e.g. hackers). Where 16 character passwords are not permissible by a software application, we will  deploy a password no less than 8 characters in length but will endeavour to have the maximum  number of characters permissible by that application. Additionally, where an application enables us to  do so, two step authentication to another device will be deployed – either by using third party  applications such as the ‘Google’ authenticator application that resides on a mobile phone or codes  sent via text message to mobile phones directly. 

15 Security 

15.1 We take our security obligations seriously and your personal information is regarded as confidential  and may be held in both hard copy and/or electronic versions. We will take all reasonable steps to  safeguard your information so that it is not misused, lost, modified, accessed by unauthorised persons  or disclosed without authorisation.  

15.2 As responsible data custodians we are familiar with the requirements of the Notifiable Data Breaches  scheme and are committed to responding to data breaches in accordance with our obligations under  the Privacy Act. We will notify the Office of the Australian Information Commissioner and you if there is 

Policy – Privacy 

unauthorised access to, unauthorised disclosure of, or loss of, personal information held by us and the  access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the  information relates in accordance with the Privacy Act. 

15.3 As responsible data custodians, any breach of this Privacy Policy by our employees, contractors,  consultants, partners and any other entity that at our direction have access to your personal  information will invoke disciplinary and possible legal action against the offending party. 

16 Complaints 

16.1 Individuals have a right to complain about the Company’s handling of personal information if the  individual believes the Company has breached the APPs.  

16.2 If an employee becomes aware of an individual wanting to make such a complaint to the Company,  the employee should direct the individual to first contact General Manager in writing. Complaints will  be dealt with in accordance with the Company’s complaints procedure and the Company will provide a  response within a reasonable period.  

16.3 Individuals who are dissatisfied with the Company’s response to a complaint, may refer the complaint  to the Office of the Australian Information Commissioner.  

17 Breach of this policy 

17.1 An employee directed by the Company to do an act under this policy and which relates to personal  information, must ensure that in doing the act they comply with the obligations imposed on the  Company. An employee directed by the Company who fails to do an act in accordance with this policy  will be deemed to have breached this policy and will be subject to formal counselling and disciplinary  action, up to and including possible termination of the employee’s employment.