Our Commitment
Elston Group (or referred to in this policy as ‘we’, ‘us’, or ‘our’) is committed to providing you with the highest levels of client service. We recognise the significant importance of your privacy. The Privacy Act 1988 (Cth), as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) and the Privacy and Other Legislation Amendment Act 2024 (Cth), established several Australian Privacy Principles (APPs). Our aim is to both support and ensure that we comply with these principles in managing your personal information in an open and transparent way, as required under APP 1.3 and 1.4.
We regularly review and update our privacy policy to ensure ongoing compliance with evolving privacy laws and best practices.
This Privacy Policy discloses the purposes for which, and the ways in which, the personal information you provide to us and our representatives is collected, used, held, disclosed, and disseminated.
We recommend that you regularly check our website for any updates to our Privacy Policy.
Your Personal Information
The personal information we collect includes but is not limited to:
- your name, contact details, date of birth, and tax file number;
- additional information as mandated by taxation laws and other relevant regulations;
- information regarding your dependents and family commitments;
- your occupation, and employment history;
- government identifiers on identity documents, such as Medicare numbers, Centrelink reference numbers, driver’s licence number, and Australian passport number;
- information about your health that you provide to us (such as details about health conditions which are relevant to our financial advice and services), where you consent to our collection and handling of that information;
- your financial needs and objectives; and
- your assets, liabilities, income, expenses, insurances, and social security entitlements.
We collect the above information for the purposes outlined in this Privacy Policy. We may also be required to collect this personal information to comply with our obligations under the Corporations Act 2001(Cth) and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth).
How We Collect Personal Information
Elston Group collects personal information directly from you or from third parties once authorisation has been provided by you. You have the right to refuse us authorisation to collect such information from a third party.
How We Use Your Personal Information
Primarily, your personal information is used in order to provide financial advice and services to you. We may also use the information that is related to the primary purpose, and it is reasonable for you to expect the information to be disclosed.
From time to time, we may provide you with direct marketing material. If, at any time, you do not wish to receive this information any further, you may contact us with this request. We will endeavour to meet your request within 2 weeks. We maintain a Register for those individuals not wanting direct marketing material.
You may opt out of direct marketing at any time and at no cost, by contacting us via email, telephone, or using the unsubscribe link provided in our communications.
When We May Disclose Your Personal Information*
In line with modern business practices common to many financial institutions and to meet your specific needs, we may disclose your personal information to the following entities, including but not limited to:
- superannuation fund trustees, insurance providers, fund managers and other product providers in order to manage or administer your product or service;
- compliance consultants and other professional services advisers;
- paraplanning contractors or temporary staff to handle workloads during peak periods;
- mailing houses;
- insurance reference bureaus and loss adjusters;
- your professional advisers, including your solicitor or accountant as authorised by you;
- third party information technology service providers engaged by us to facilitate the provision of our services to you, including service providers that provide automated artificial intelligence (AI) file noting services (such as BLV Solutions which may temporarily process your data in the US and EU);
- our IT service providers who provide or support the systems where personal information is stored;
- another authorised representative of Elston Group if necessary;
- a potential purchaser/organisation involved in the proposed sale of our business for the purpose of due diligence, corporate re-organisation and transfer or all or part of the assets of our business. Disclosure will be made in confidence, and it will be a condition of that disclosure that no personal information will be used or disclosed by them;
- a new owner of our business that will require the transfer of your personal information; and
- government and regulatory authorities, as required or authorised by law.
Our employees and the outsourcing companies/contractors are obliged to respect the confidentiality of any personal information held by Elston Group.
The Corporations Act has provided the Australian Securities and Investments Commission with the authority to inspect certain personal information that is kept on our files about you.
We collect your personal information for the purpose of reporting to Australian Transaction Reports and Analysis Centre (AUSTRAC) under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
Elston Group takes its obligations to protect your personal information seriously, including when we operate throughout Australia or overseas.
We may disclose personal information (including your health information) to our third-party service providers, agents and intermediaries located overseas so that they can provide us with services in connection with the operation of our business. This may mean that your personal information may be temporarily stored and processed in the following Countries: The United States and Europe.
Where we disclose personal information to overseas recipients, we take reasonable steps to ensure those recipients do not breach the APPs, or that they are subject to equivalent data protection laws in their jurisdiction.
If we are required to provide specific personal information to an overseas intermediary, we will notify you prior to providing that information.
We do not use automated decision-making to make decisions that affect your rights or interests. Any AI tools used by Elston Group (such as file noting platforms) are solely for administrative assistance and do not make decisions that affect your rights, entitlements, or interests.
We do not transfer your personal information overseas except as required for temporary processing by certain IT service providers, as described above.
How We Store and Secure Your Personal Information
We keep your personal information in your client files or electronically. These files are accessible to authorised personnel only and are appropriately secured and subject to confidentiality requirements.
Personal information is treated as confidential information and sensitive information is treated as highly confidential.
It is a legislative requirement that we keep all personal information and records for a period of 7 years. Should you cease to be a client of ours, we will maintain your personal information on or off-site in a secure manner for 7 years. After this period, the information will be securely destroyed or permanently de-identified in accordance with the Office of the Australian Information Commissioner’s (OAIC) guidance on data retention and destruction.
We have strengthened our approach to information security in line with the requirements of APP 11.3. Elston Group takes “reasonable steps” to protect your personal information, which now specifically includes both technical and organisational measures:
- Technical measures: We use secure IT systems, data encryption, firewalls, multi-factor authentication, and regular security updates to protect your information from misuse, loss, unauthorised access, modification, or disclosure.
- Organisational measures: We have robust policies, staff training, access controls, regular audits, and procedures for deactivating user accounts when staff leave. Our Board and management regularly review our privacy and security practices to ensure their effectiveness.
We continually assess our security measures to ensure they are appropriate to the sensitivity and volume of personal information we hold, as well as the risks faced by our business.
We comply with the Notifiable Data Breaches (NDB) scheme. In the event of a data breach that is likely to result in serious harm, we will promptly notify affected individuals and the OAIC.
We follow a formal data breach response plan that includes identifying and containing the breach, assessing the scope and risk of harm, and notifying affected individuals and the OAIC within the required timeframe.
Ensure Your Personal Information Is Correct
Elston Group takes all reasonable precautions to ensure that the personal information we collect, use and disclose is accurate, complete and up to date. To ensure we can maintain this level of accuracy and completeness, we recommend that you:
- inform us of any errors in your personal information; and
- update us with any changes to your personal information as soon as possible.
If you provide inaccurate or incomplete information, we may be unable to provide you with the products or services you are seeking.
Access to Your Personal Information
You have a right to access your personal information, subject to certain exceptions allowed by law. We ask that you provide your request for access in writing (for security reasons), and we will provide you with access to that personal information. Access to the requested personal information may include:
- providing you with copies;
- providing you with the opportunity for inspection; and/or
- providing you with a summary.
If charges are applicable in providing access to you, we will disclose these charges to you prior to providing you with the information.
Some exceptions exist where we will not provide you with access to your personal information such as if:
- providing access would pose a serious threat to the life or health of a person;
- providing access would have an unreasonable impact on the privacy of others;
- the request for access is frivolous or vexatious;
- the information is related to existing or anticipated legal proceedings between us and would not be discoverable in those proceedings;
- providing access would reveal our intentions in relation to negotiations with you in such a way as to prejudice those negotiations;
- providing access would be unlawful; and
- providing access would be likely to prejudice certain operations by or on behalf of an enforcement body or an enforcement body request that access not be provided on the grounds of national security.
Should we refuse you access to your personal information, we will provide you with a written explanation for that refusal.
Using Government Identifiers
Although in certain circumstances we are required to collect government identifiers such as your tax file number, Medicare number or pension card number, we do not use or disclose this information other than when required or authorised by law or unless you have voluntarily consented to disclose this information to any third party.
Dealing with us anonymously
In most instances we will require personal information before we can provide services to you. Where it is lawful and practicable to do so, you can deal with us anonymously; for example, if you telephone requesting our postal address.
Your sensitive information
Without your consent, we will not collect information about you that reveals your racial or ethnic origin, political opinions, religious or philosophical beliefs or affiliations, membership of professional or trade association, membership of a trade union, details of health, disability, sexual orientation, criminal record, genetic information, biometric information or biometric templates.
This is subject to some exceptions including when:
- collection is required by law; and
- the information is necessary for the establishment, exercise or defence of a legal claim.
Third Party Websites
Elston Group’s websites may provide links to third party websites. The use of your information by these third-party sites is not within our control and we cannot accept responsibility for the conduct of these organisations. Other websites are not subject to our privacy standards. You will need to contact or review those websites directly to ascertain their privacy policies.
You may register with us to receive newsletters and other information. By doing so, your name and email address will be collected and stored on our database. We take care to ensure that the personal information you give us on our websites is protected. For example, our websites have electronic security systems in place, including the use of firewalls and data encryption.
If you do not wish to receive any further information from us, or you wish to update your registration details, please email your request to us. We will endeavour to meet your request within 5 working days.
Our websites utilise cookies to provide you with a better user experience. Cookies also allow us to identify your browser while you are using our site – they do not identify you. If you do not wish to receive cookies, you can instruct your web browser to refuse them.
Spam Policy
Spam is a generic term used to describe electronic ‘junk mail’- unwanted messages sent to a person’s email account or mobile phone. In Australia, spam is defined as ‘unsolicited commercial electronic messages.
The Australian Communications and Media Authority (ACMA) is responsible for enforcing the provisions of the Spam Act 2003 (Cth). Additional information about the Spam Act and the ACMA’s role is available from: www.acma.gov.au.
‘Electronic messaging’ covers emails, instant messaging, SMS, MMS and other mobile phone messaging, but does not cover normal voice-to-voice communication by telephone.
Elston Group complies with the provisions of the Spam Act when sending commercial electronic messages.
Equally importantly, Elston Group makes sure that our practices are in accordance with the Australian Privacy Principles in all activities where they deal with personal information.
Internal Procedure for dealing with complaints
The three key steps Elston Group follows:
- Consent – Only commercial electronic messages are sent with the addressee’s consent – either express or inferred consent.
- Identify – Electronic messages will include clear and accurate information about the person and the Elston Group that is responsible for sending the commercial electronic message.
- Unsubscribe – We ensure that all our commercial electronic messages include a functional unsubscribe facility, and that we handle unsubscribe requests promptly.
Comply with the law regarding viral messages
Elston Group ensures that Commercial Communications that include a Forwarding Facility contain a clear recommendation that the Recipient should only forward the Commercial Communication to persons with whom they have a relationship, where that relationship means that person could be said to have consented to receiving Commercial Communications.
Comply with the age sensitive content of commercial communication
Where the content of a commercial communication seeks to promote or encourage interaction with an age-sensitive product, service, or event, Elston Group takes reasonable steps to ensure that such content is sent only to recipients who are legally entitled to use or participate in it.
Complaints Resolutions
The Spam Act specifies that the person’s consent must be withdrawn within 5 working days from the date that an unsubscribe request was sent (in the case of electronic unsubscribe messages) or delivered (in the case of unsubscribe messages sent by post or other means).
Please contact our Privacy Officer if you wish to file a complaint regarding any actual or suspected breach of your privacy rights. Your complaint will be responded to within 7 days. If you are not satisfied with the outcome of your complaint, you are entitled to direct your complaint to the Office of the Australian Information Commissioner (OAIC).
Contact Details
If you have a question regarding this policy, a complaint about how we handle your information, or wish to make an access request, you can contact us by writing to us at:
Privacy Officer
Address: Elston Group, GPO Box 2220, Brisbane, QLD, 4001
E-mail: epfs@elston.com.au
