Wilson Asset Management: enforceable undertaking

Date: 28 June 2019

Enforceable undertaking

under s 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth)

This undertaking is offered to the Australian Information Commissioner by:

Wilson Asset Management (International) Pty Limited

Level 26, Governor Phillip Tower, 1 Farrer Place Sydney NSW 2000
(ABN 89 081 047 118)

Wilson Asset Management (International) Pty Limited (WAMI) offers this enforceable undertaking under s 114 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (Regulatory Powers Act) to address the concerns identified by the Australian Information Commissioner (Commissioner) in the investigation commenced on 8 April 2019 under s 40(2) of the Privacy Act 1988 (Cth) (Privacy Act).

Background

  1. In May 2018, WAMI established an online registration page on its website for its petition to “maintain the current dividend imputation system” (WAMI’s petition).
  2. On 31 October 2018, the domain https://stoptheretirementtax.com.au was registered (the website). The website stated it was authorised by Tim Wilson MP, and provided an online form to collect submissions in relation to the House of Representatives Standing Committee on Economics ‘Inquiry into the implications of removing refundable franking credits’.
  3. The online form included three pre-selected tick boxes, one of which stated ‘I want to be registered for the petition against the retirement tax’. The words ‘the petition’ hyperlinked to WAMI’s petition where the words “By signing, you accept Wilson Asset Management’s Privacy Policy and agree to receive updates from Wilson Asset Management. You can unsubscribe at any time” was stated under the “Sign the petition” box, and the words “Privacy Policy” were hyperlinked to WAMI’s Privacy Policy.
  4. On seven occasions between 31 October 2018 and 24 January 2019, WAMI accessed the website’s cloud-based database (the website database) and downloaded a CSV file containing the personal information of individuals (and potentially included some sensitive information of some individuals who completed the free text boxes) who made a submission via the online form, and who agreed (by not unselecting the tick box) to register for the petition (the Personal Information). WAMI then used the name and email addresses of some of those who agreed to register for the petition to contact the individuals on up to three occasions via email. No other Personal Information (including any potentially sensitive information) was used by WAMI.
  5. The Office of the Australian Information Commissioner (OAIC) is concerned that WAMI’s collection of some of the Personal Information was not reasonably necessary for its functions and activities, and that WAMI did not take reasonable steps to notify those individuals of the collection and use of the Personal Information as required by Australian Privacy Principle 5.2.
  6. WAMI advised it ceased to have access to the website from 22 February 2019.
  7. WAMI wishes to give this enforceable undertaking to address the OAIC’s concerns.

Commencement of undertaking

  1. This undertaking comes into effect when:
    1. it is executed by WAMI; and
    2. this undertaking, so executed, is accepted by the Commissioner (the Commencement Date).
  2. Upon the Commencement Date, WAMI assumes the obligations set out in this undertaking.

Interpretation

  1. Unless the contrary intention appears, terms defined in the Privacy Act have the same meaning in this enforceable undertaking as they have in the Privacy Act.

Remedial measures

  1. WAMI undertakes:
    1. not to access or collect any further personal information from the website;
    2. not to use or disclose the Personal Information or information generated from the Personal Information, unless the individual about whom the particular information relates otherwise provided separate and explicit consent to the use or disclosure by WAMI; and
    3. to destroy the Personal Information as contemplated in paragraph 15.

Review of Privacy Policy and Privacy Operating Procedure

  1. Within one month of the Commencement Date, WAMI will engage, in consultation with the OAIC, an appropriately experienced and qualified independent third party (the Reviewer) to undertake the matters set out in paragraphs 14 to 16.
  2. WAMI will use its best endeavors, including by taking contractual measures, to require the Reviewer to meet the obligations, including timeframes, in paragraphs 14 to 16.
  3. As soon as reasonably practicable after engaging the Reviewer, WAMI will notify the OAIC of the appointment and the date on which they were engaged.
  4. Within three business days of engagement, the Reviewer will oversee WAMI’s destruction of the Personal Information and certify, by providing a report to the OAIC and to WAMI within five days of the destruction, that it is satisfied with WAMI’s destruction of such Personal Information.
  5. Within three months of engagement, the Reviewer will:
    1. conduct a review of WAMI’s Privacy Policy (Policy) to ensure compliance with the Privacy Act; and
    2. prepare and implement a training program in relation to the Policy and the Privacy Act for all WAMI officers and employees.
  6. Within two weeks of the completion of paragraph 16, the Reviewer will provide a report to the OAIC and to WAMI:
    1. setting out the recommendations, if any, arising from the review at 16(a); and
    2. confirming that the training in paragraph 16(b) has been undertaken.
  7. Within fourteen days of the receipt of the Reviewer’s report, WAMI will ensure, and will confirm to OAIC in writing, that it has implemented all necessary changes to the Policy arising from any recommendations made by the Reviewer in paragraph 17(a).

Compliance reporting

  1. WAMI will provide all relevant documents and information requested by the Commissioner from time to time for the purpose of assessing WAMI’s compliance with the terms of this enforceable undertaking within seven days of the request or such longer period as the OAIC specifies.

Other matters

  1. WAMI will pay the costs of its compliance with this enforceable undertaking.
  2. WAMI’s Chief Financial Officer will be the person responsible for overseeing compliance with the requirements of this undertaking and reporting to the OAIC.

Acknowledgements

  1. WAMI acknowledges that the Commissioner:
    1. will publish this undertaking as well as a summary of the undertaking, on the OAIC website, excluding any confidential schedules;
    2. may issue a statement on execution of this undertaking referring to its terms and to the circumstances which led to the Commissioner’s acceptance of the undertaking; and
    3. may from time to time publicly refer to this undertaking, including any breach of this undertaking by WAMI.
  2. WAMI acknowledges that:
    1. The Commissioner’s acceptance of this undertaking does not affect the OAIC’s power to investigate, or pursue other enforcement options available to the Commissioner in relation to any contravention not the subject of the background section of this enforceable undertaking, or arising from future conduct.
    2. This undertaking in no way derogates from the rights and remedies available under the Privacy Act to any other person, arising from any conduct described in this undertaking or arising from future conduct.
    3. If the Commissioner considers that WAMI has breached this enforceable undertaking, the Commissioner may apply to the Federal Court or Federal Circuit Court to enforce the undertaking under s 115 of the Regulatory Powers Act.

Confidentiality of information provided to OAIC

  1. The Commissioner and the OAIC acknowledge that information provided by WAMI in accordance with this undertaking may contain sensitive commercial information. The Commissioner acknowledges that this information is provided by WAMI in confidence.
  2. The Commissioner and the OAIC will only:
    1. disclose any commercial-in-confidence information with WAMI’s written consent and agreement, unless otherwise required by law; and
    2. use any commercial-in-confidence information for the Commissioner’s privacy regulatory activities or as otherwise required by law.

Jesse Hamilton, Chief Financial Officer
Wilson Asset Management (International) Pty Limited

Date: 27 June 2019

Signature: <Signed>

Accepted by Angelene Falk under s 114(1) of the Regulatory Powers Act
Australian Information Commissioner
Privacy Commissioner

Date: 28 June 2019

Signature: <Signed>

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au