Skip to main content
  • On this page

1. Parties to the MOU

1.1 The parties to this Memorandum of Understanding ( MOU ) are the Office of the Australian Information Commissioner ( OAIC ) and the Australian Securities and Investments Commission ( ASIC ) (together the Parties ). In this MOU, the term 'Party' will mean either the OAIC or ASIC, as the context allows.

1.2 The OAIC is an independent Commonwealth statutory agency established under the Australian Information Commissioner Act 2010 (Cth) ( AIC Act ), responsible for regulating privacy law and freedom of information law, including relevantly, the Privacy Act 1988 (Cth) ( Privacy Act ). The OAIC is led by the Australian Information Commissioner ( AIC ) who is appointed by the Governor-General under section 14 of the AIC Act.

1.3 ASIC is an independent Commonwealth statutory agency established under the Australian Securities and Investments Commission Act 2001 (Cth) (the ASIC Act) responsible for regulating corporations and the financial system. ASIC administers the ASIC Act, the Corporations Act 2001 (Cth) and the legislation enumerated in subsection 12A(1) of the ASIC Act.

2. Purpose and function of the MOU

2.1 This MOU facilitates the sharing of information and documents ( information sharing ) between the OAIC and ASIC.

2.2 This MOU is intended to facilitate both:

  1. proactive information sharing where the Parties, relying on the information and assurances provided in this MOU, share information with each other on their own motion; and
  2. information sharing in response to a written request where the Parties, relying on the information and assurances provided in this MOU and in any written request, share information with each other..a Party.

3. Scope of the MOU

3.1 This MOU does not create any enforceable rights or impose any legally binding obligations on either Party.

3.2 The MOU is not intended to be exhaustive in the subject matters within its scope. The Parties may enter into any other arrangements for cooperation and collaboration to the full extent permitted by the law.

3.3 Nothing in this MOU affects the exercise of the legislative functions, powers, duties or obligations of either Party.

4. Term of this MOU

4.1 This MOU commences on the date it is signed by the last party and continues unless it is terminated in accordance with clause 12.1.

5. Powers, functions and duties of the Parties

OAIC powers, functions and duties under the Privacy Act

5.1 The AIC has:

  1. the information commissioner functions, the freedom of information functions and the privacy functions as those terms are defined in the AIC Act; and
  2. power to do all things necessary to be done for or in connection with the functions listed in clause 5.1(a).

5.2 Relevantly, section 33A of the Privacy Act provides that:

  1. information sharing under that section must be done for the purpose of either:
    1. the AIC exercising powers, or performing functions or duties under the Privacy Act; or
    2. ASIC exercising its powers, or performing its functions or duties;
  2. information or documents shared by the AIC with ASIC under that section must be acquired by the AIC in the course of exercising powers, or performing functions or duties, under the Privacy Act;
  3. the AIC must be satisfied on reasonable grounds that ASIC has satisfactory arrangements in place for protecting information or documents proposed to be shared with it under that section; and
  4. where information or documents proposed to be shared under that section were acquired by the AIC from an agency, as that term is defined in the Privacy Act, those information or documents can only be shared with an agency, such as ASIC.

5.3 ASIC is a receiving body capable of receiving information from the AIC under section 33A of the Privacy Act, as ASIC falls within the definition of an ‘enforcement body’ pursuant to section 6 and section 33A(2) of the Privacy Act.

5.4 The AIC also has other relevant information sharing powers. For example, subsection 28B(1)(a) of the Privacy Act provides that the AIC may, amongst other things provide advice to a Minister or entity about any matter relevant to the operation of the Privacy Act.

5.5 Section 29 of the AIC Act makes unauthorised dealing with information an offence where information is acquired in the course of performing functions or exercising powers for the purposes of an information commissioner function, a freedom of information function or a privacy function.

5.6 The AIC will only share information in accordance with the requirements of the Privacy Act and any other applicable laws and regulations in its jurisdiction.

ASIC powers, functions and duties

5.7 ASIChas:

  1. powers, functions and duties under legislation that is relevant to this MOU, as set out in Appendix A; and
  2. the power to do whatever is necessary for or in connection with, or reasonably incidental to, the performance of its functions.

5.8 To comply with the requirements of section 127 of the ASIC Act, ASIC may only share confidential and protected information under this MOU if either:

  1. the sharing of information is for the purpose of ASIC exercising its powers or performing its functions; or
  2. the ASIC Chairperson, or their delegate, is satisfied that the information would enable or assist the OAIC to exercise its powers, or perform its functions.

5.9 The Parties agree to:

  1. immediately notify each other should this MOU no longer accurately reflect the powers, functions and duties of the Parties relevant to the information sharing foreseen under it; and
  2. as soon as is practicable after having sent or received notification under clause 5.9(a), cooperate to vary the MOU in accordance with clause 11 to make it accurate.

6. Security arrangements of ASIC

6.1 In addition to any legislative requirements,eachPartymayimpose conditions on the use of information provided to the other Party.

6.2 Each Party agrees to:

  1. implement a data breach response processor plan in the event ofadata  breach, for the purposes of undertaking remedial action to minimise risk of harm, to ensure compliance with the Australian Privacy Principles 1, and the Notifiable Data Breach scheme2;
  2. protect any information or documents shared with it under this MOU in accordance with the arrangements in Appendix B;
  3. upon request by the other Party provide evidence of ongoing compliance with clause 6.2(a);
  4. immediately notify the other Party should this MOU no longer accurately reflect the arrangements put in place by ASIC to protect information and documents shared under this MOU; and
  5. as soon as is practicable after notifying the OAIC under clause 6.2(c), arrange for variations to make accurate this MOU.

7. Proactive information sharing

7.1 The Parties The Parties agree that they may proactively information share under this MOU, subject to any applicable laws within their respective jurisdictions.

7.2 Where the Parties proactively information share under this clause 7, the Parties will:

  1. address all correspondence to the contact officer in Appendix C; and
  2. clearly record:
    1. that information or documents shared under this MOU was shared on its own motion;
    2. the nature or kind of information or documents shared with the other Party; and
    3. the purpose for which the information or documents were shared.

8. Information sharing requests

8.1 Each Party may request that the other Party share information or documents under this MOU ( Information Sharing Request ).

8.2 When an Information Sharing Request is made, each Party must:

  1. clearly express each Information Sharing Request as such; and
  2. address each Information Sharing Request to the contact officer in Appendix C.

8.3 Each Information Sharing Request must:

  1. be in writing; and
  2. contain:
    1. a sufficiently detailed description of the requested information or documents;
    2. the purpose for which the requested information or documents are sought; and
    3. to the extent that the Party seeks the requested information or documents to exercise its powers or perform its functions and duties, the relevant power, function or duty.

8.4 Where either Party perceive a need for expedited action:

  1. a Party may make an Information Sharing Request in any form, but must subsequently confirm the request in writing in accordance with the requirements outlined in clause 8.3 within 10 business days; and
  2. the Parties will endeavour to provide the information requested to each other as quickly as possible, subject to the terms of this MOU.

8.5 An Information Sharing Request may be denied by the Parties where, amongst other things, the disclosure would interfere with national security or an ongoing investigation, result in a waiver of privilege, or where it would be unlawful. If an Information Sharing Request has been denied by a Party, that Party should provide the other Party with reasons for the denial.

9. Use of shared information or documents

9.1 ASIC acknowledges that information shared with by the AIC under s33A of the Privacy Act can only be used for the purpose for which it is shared, and ASIC agrees to comply with s.33A of the Privacy Act.

9.2 The AIC acknowledges that ASIC has the power to impose conditions upon the disclosure of information to the AIC and agrees to comply with those conditions.

9.3 If a Party is served with a binding legal order or requirement to provide information to a third party, and that information was obtained from the other Party under this MOU, that Party will:

  1. notify the other Party of the order or requirement as soon as practicable unless legally compelled not to do so; and
  2. to the extent practicable, consult with the other Party as to how to respond to the order or requirement.

9.4 If a Party receives a request to release information obtained from the other Party under the Freedom Of Information Act 1982, that Party will consult with the other Party in accordance with the relevant guidelines issued by the Australian Information Commissioner, subject to the statutory timeframes for issuing a decision.

9.5 If a Party wishes to disclose information obtained under this MOU to a third party where it is not legally compelled to do so, that Party must:

  1. obtain the other Party’s consent prior to the disclosure; and
  2. impose on the third party any conditions which have been made by the other Party concerning the use of that information.

10. Confidentiality

10.1 Information sharing undertaken in accordance with this MOU is subject to all applicable confidentiality, secrecy and privacy requirements under the laws applicable to the Parties in their respective jurisdictions.

11. Variations

11.1 The Parties will monitor the operation of the MOU and review it as required.

11.2 Any term of this MOU may be varied at any time with the mutual written consent of each Party.

12. Termination of MOU

12.1 Either Party may terminate this MOU by giving at least 30 days' written notice to the other Party. The termination will take effect 30 days after the notice is sent, unless otherwise agreed, in writing, between the Parties.

13. Costs

13.1 Each Party agrees to bear its own costs in performing its functions under this MOU.

13.2 If it appears that a Party is likely to incur substantial costs in responding to an Information Sharing Request, that Party may consult with the other Party as to how to respond to the Information Sharing Request.

14. Claims or Complaints

14.1 The Parties agree to consult and cooperate with each other in the event of any complaint or claim made against a Party relating to the use of information shared in accordance with this MOU.

15. Dispute Resolution

15.1 Where a dispute arises between the Parties regarding this MOU, the Parties will make reasonable attempts to resolve the dispute at the contact officer level.

16. Notices

16.1 Any notice in relation to this MOU is to be in writing and delivered to the contact officer specified in Appendix C.

16.2 A notice is deemed to be effected:

  1. if delivered by hand - upon delivery to the relevant address;
  2. if sent by post - upon delivery to the relevant address; or
  3. if transmitted electronically - upon actual receipt by the addressee.

16.3 A notice received after 5.00 pm, or on a day that is not a business day in the place of receipt, is deemed to be effected on the next business day in that place.

Signatures and Execution

Joseph Longo

Chair, Australian Securities and Investments Commission

Melanie Drayton

Acting Deputy Commissioner (Office of the Australian Information Commissioner)

Date: 13 June 2024

Date:31 May 2024

Appendix A: Powers, functions and duties of ASIC

The legislation under which ASIC is given powers, functions and duties relevant to this MOU is as follows.

Legislative or other authority

Australian Securities and Investments Commission Act 2001 (Cth)

Corporations Act 2001 (Cth)

ASIC Supervisory Cost Recovery Levy Act 2017 (Cth)

ASIC Supervisory Cost Recovery Levy (Collection) Act 2017 (Cth)

Financial Services Compensation Scheme of Last Resort Levy (Collection) Act 2023 (Cth)

Insurance Contracts Act 1984 (Cth)

Life Insurance Act 1995 (Cth)

Retirement Savings Accounts Act 1997 (Cth)

Superannuation Industry (Supervision) Act 1993 (Cth)

National Consumer Credit Protection Act 2009 (Cth)

National Consumer Credit Protection (Transitional and Consequential Provisions) Act 2009 (Cth)

Business Names Registration Act 2011 (Cth)

Business Names Registration (Transitional and Consequential Provisions) Act 2011 (Cth)

Financial Accountability Regime Act 2023

Appendix B: Arrangements to protect information or documents shared The standard information security criteria are as follows.

Arrangement

Y/N

Have a secure ICT system and secure internet gateways in place.

 

Store information or documents shared under this MOU separately to other documents.

 

Limit access to information or documents shared under this MOU to those staff responsible for exercising the powers, functions or duties of that Party.

 

Comply with the Information Security requirements under the Protective Security Policy Framework or another framework with at least as protective requirements.

 

Notify the other Party in the event there is a data breach involving information or documents shared under this MOU.

 

Subject to other relevant legislative requirements, destroy or de-identify any information or documents shared under this MOU when they are no longer require for the purpose for which they were shared.

 

Appendix C: Contact details

The contact details for each party are as follows.

OAIC contact officer

Name

MelanieDrayton

Role

Acting Deputy Commissioner

Phone

0299424216

email

Melanie.drayton@oaic.gov.au

Service address

Level 10, 175 Pitt Street, Sydney NSW 2000

Postal address

Office of the Australian Information Commissioner GPO 5288 Sydney NSW 2001

ASIC contact officer

Name

JoesphLongo

Role

Chair, Australian Securities and Investments Commission

Phone

1300935075

email

ASIC.Chair@asic.gov.au

Service address

Level 7, 120 Collins St, Melbourne VIC 3000

Postal address

Australian Securities and Investments Commission, GPO Box 9827, Melbourne VIC 3001

1 In particular, Australian Privacy Principle 1 requires entities to take reasonable steps to establish and maintain practices, procedures, and systems to ensure compliance with the APPs.

2 Part IIIC of the Privacy Act 1988 (Cth).