Last Updated 15 July 2019
When an investor trusts us with their personal information, they expect Clearwater Portfolio Management (CPM) to protect it and keep it safe.
CPM is bound by the Privacy Act 1988 (Cth) (‘Privacy Act’) and will protect investor’s personal information in accordance with the Australian Privacy Principles. These principles govern how we can collect, use, hold and disclose investor’s personal information, as well as ensuring the quality and security of personal information.
About this policy
What is personal information?
Personal information includes any information or opinion, about an identified individual or an individual who can be reasonably identified from their information. The information or opinion will still be personal information whether it is true or not and regardless of whether we have kept a record of it.
The information that we seek to collect about an investor will depend on the products or services that we provide. If the investor does not allow CPM to collect all of the information we request, we may not be able to deliver all of those services effectively.
What type of personal information do we collect and hold?
When an investor applies for our products or services we will ask for personal information, financial information and identification information. This could include the investor’s name, address, contact details and date of birth, identification documents and other details. We may also collect their tax file number if we are authorised to collect it and if the investor chooses to supply it.
Throughout the life of the investor’s product or service, we may collect and hold additional personal information. This could include transaction information or making a record of queries or complaints made.
The collection of sensitive information is restricted by the Privacy Act. This includes information about an investor’s religion, racial or ethnic origin, political opinions, criminal record, and sexual orientation. It also includes health information and biometric information.
For what purposes do we collect, hold, use and disclose personal information?
Generally, CPM will only collect this sort of information if it is necessary to provide the investor with a specific product or service and the investor has consented to that collection.
The main reason CPM collect, use, hold and disclose personal information is to provide the investor with products and services. This includes:
checking whether the investor is eligible for the product or service;
assisting the investor where online applications are not completed;
providing the product or service; and
helping manage the product or service.
CPM may also use investor information to comply with legislative or regulatory requirements in any jurisdiction, prevent fraud, crime or other activity that may cause harm in relation to our products or services and to help us run our business. We may also use investor information to tell our investors about products or services we think may interest them.
How do we collect personal information?
CPM collect most personal information directly from the investor. For example, we will collect an investor’s personal information when they apply for or use a product or service or talk to us in person or on the phone.
We also collect information from you electronically. For instance, if the investor sends us electronic correspondence (see "Do we collect personal information electronically?").
Sometimes CPM will collect personal information about an investor from other people or organisations, with the investor’s consent. This may happen without the investor’s direct involvement. For instance, we may collect personal information about an investor from:
publicly available sources of information, such as public registers;
investor representatives (including your financial adviser, legal adviser, mortgage broker, executor, administrator, guardian, trustee, or attorney);
the investor’s employer;
other organisations, who jointly with us, provide products or services to the investor; and
commercial information service providers, such as companies that provide fraud prevention reports.
What laws require or authorise us to collect personal information?
CPM is required or authorised to collect:
certain identification information about the client by the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1); and
an investor’s Tax File Number, if they choose to provide it, by the Income Tax Assessment Act 1936 (Cth).
How do we hold personal information?
Much of the information CPM holds about the investor will be stored electronically on our computers and in secure data centres which are located in Australia. Some information we hold about investors will be stored in paper files, but this is usually only temporarily before the document is destroyed. CPM uses a range of physical and electronic security measures to protect the security of the personal information we hold. For example:
access to information systems is controlled through identity and access management;
employees are bound by internal information security policies and are required to keep information secure;
all employees are required to complete training about information security; and
we regularly monitor and review our compliance with internal policies and industry best practice.
We take reasonable steps to destroy or permanently de-identify any personal information after it can no longer be used. We must keep your information for seven years even if you are no longer an investor.
Who do we disclose your personal information to, and why?
CPM may provide personal information about our clients to organisations outside Clearwater Portfolio Management. To protect personal information, we enter into contracts with our service providers that require them to comply with the Privacy Act. These contracts oblige them to only use the personal information we disclose to them for the specific role we ask them to perform.
Generally, we disclose personal information to organisations that help us with our business. These may include:
our agents, contractors and external service providers (for example, mailing houses and technology service providers);
payment systems operators (for example, merchants receiving card payments);
other organisations, who jointly with us, provide products or services to you;
our direct financial services organisations, including the Responsible Entity, Unit Registry, Fund Administrators and, custodians;
our, legal advisers or auditors;
your representatives including your financial adviser, legal adviser, accountant, mortgage broker, executor, administrator, guardian, trustee, or attorney, when directed by you;
fraud bureaus or other organisations to identify, investigate or prevent fraud or other misconduct; and
regulatory bodies, government agencies and law enforcement bodies in any jurisdiction.
CPM may also disclose the investor’s personal information to others outside Clearwater Portfolio Management where:
we are required or authorised by law or where we have a public duty to do so;
the investor may have expressly consented to the disclosure or the consent may be reasonably inferred from the circumstances; or
we are otherwise permitted to disclose the information under the Privacy Act.
Do we disclose personal information overseas?
CPM may disclose an investor’s personal information to a recipient which is located outside Australia. This includes:
Any financial institution which the client holds an account with overseas where they have given us permission to make enquiries on their behalf.
Do we use or disclose personal information for marketing?
CPM will use an investor’s personal information to offer them products and services we believe may interest them, but we will not do so if they tell us not to. We may offer products and services by various means, including by mail, telephone, email, or other electronic means, such as through social media or targeted advertising through the Clearwater Portfolio Management website.
We will not disclose an investor’s personal information to companies outside Clearwater Portfolio Management who assist us to market our products and services to the investor.
Do we collect personal information electronically?
CPM will collect information from the investor electronically, for instance through internet browsing, mobile or tablet applications.
Each time a person visits our website, we collect information about their use of the website, which may include the following:
The date and time of visits;
Which pages are viewed;
How users navigate through the site and interact with pages (including fields completed in forms and applications completed);
Location information about users;
Information about the device used to visit our website; and
We use technology called cookies when a person visits our site. Cookies are small pieces of information stored on their hard drive or in memory. They can record information about their visit to the site, allowing it to remember you the next time you visit and provide a more meaningful experience.
The cookies we send to the person’s computer cannot read their hard drive, obtain any information from their browser or command their computer to perform any action. They are designed so that they cannot be sent to another site, or be retrieved by any non-Clearwater Portfolio Management site.
CPM won't ask anyone to supply personal information publicly over Facebook, Twitter, or any other social media platform that we use. Sometimes we may invite an investor to send their details to us via private messaging, for example, to answer a question. An investor may also be invited to share their personal information through secure channels to participate in other activities, such as competitions.
Access to and correction of personal information
You can request access to the personal information we hold about you. You can also ask for corrections to be made. To do so, please contact us.
There is no fee for requesting that your personal information is corrected or for us to make corrections.
If we refuse to give you access to or to correct your personal information we will give you a notice explaining our reasons except where it would be unreasonable to do so.
If we refuse your request to correct your personal information, you also have the right to request that a statement be associated with your personal information noting that you disagree with its accuracy. We will also provide you with information on how you can complain about the refusal.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples of data breaches include:
A device containing investors’ personal information is lost or stolen;
A database containing personal information is hacked;
Personal information is mistakenly provided to the wrong person.
CPM utilises the services of an external IT consulting firm to assist us in securing our client’s data. All team members are required to adhere to our internal policies in relation to privacy, email and Internet use.
CPM undertakes a risk assessment each year to ensure that our policies are being followed. We also have a Data Breach Register and this is reviewed by the Compliance Team at quarterly meetings.
If a data breach has occurred, or even if you are concerned that a data breach may have occurred, CPM team members must notify the Compliance Team immediately so that it can be promptly investigated.
As of 22 February 2018, we must report a ‘Notifiable Data Breach’ to the Office of the Australian Information Commissioner (OAIC) no later than 30 days after the incident occurred. We are also required to notify the investors impacted and/or publish details of the data breach on our website.
A ‘Notifiable Data Breach’ is a data breach that is likely to result in serious harm to any of the individuals with which the information relates.
All team members have a role to play in ensuring that our investor’s data is secure. This can be as simple as following the following commonsense tips:
Avoid malware – do not click on links in suspicious ‘pop-up’ windows while browsing the Internet. The ‘pop-ups’ usually mention things like cleaning up your system; speeding up your computer; installing a toolbar; replacing your current Antivirus software or warns you that ‘malware’ has been installed on your computer.
Avoid ‘Phishing’ – never click on suspicious links in emails. Things to look out for in ‘phishing’ emails include:
Poor grammar and spelling (but they are getting better at this);
Is the email solicited or unsolicited?
The email asks you to click on a link;
The email address will not be authentic. It may be very close to authentic, but have one or two letters different. Please check the email address if you have doubts about the authenticity of the email;
If you hover over the link and it shows an address that is not associated with the sending party.
Take care when storing data on USB devices. Ensure that the device is secure and that the data is removed once it has served its purpose.
Avoid storing sensitive data on laptops. If this is necessary, ensure that the data is encrypted.
Ensure that you are correctly disposing of paper documents by using the office shredding machine.
Take care when connecting mobile phones to the network. This can result in sensitive information like email contacts being synced to the device. Ensure that your device has appropriate security controls, pin codes, lock times, encryption etc.
If you are going to be away from your desk for a long period, make sure you lock your computer.
Use strong passwords and change these regularly. A strong password will have at least six characters (the more characters, the stronger the password). The password should also include a combination of letters, numbers and symbols if allowed. Passwords are typically case-sensitive, so a strong password contains letters in upper and lowercase. Try to avoid an obvious password that may be too easy to guess by a person or a program.
Resolving your privacy concerns and complaints – your rights
If you are concerned about how your personal information is being handled or if you have a complaint about a breach by us of the Australian Privacy Principles, please contact us.
We will acknowledge your complaint as soon as we can after receipt of your complaint. We will let you know if we need any further information from you to resolve your complaint.
We aim to resolve complaints as quickly as possible. We strive to resolve complaints within five business days but some complaints take longer to resolve. If your complaint is taking longer, we will let you know what is happening and a date by which you can reasonably expect a response.
Under the Privacy Act, you may complain to the Office of the Australian Information Commissioner about the way we handle your personal information.
The Commissioner can be contacted at
GPO Box 5218
Sydney NSW 2001
Phone: 1300 363 992
You can contact us by:
writing to us at PO Box 429, Sale VIC 3853
Meaning of words
We, us or our means:
Clearwater Portfolio Management Pty Ltd, ABN: 40 609 673 645