2. Privacy An Overview for Staff Prepared by MSM Compliance Services Pty Ltd

3. Who Are MSM Compliance? MSM is a national professional services business focused on the general insurance industry. Your company has engaged MSM to assist in the management of its obligations as a holder of an Australian Financial Services Licence. MSM helps to ensure that you and your company comply with your AFS Licence obligations with the least disruption to your core business.

4. Why are you reading this? To provide you with an introduction to our Privacy Policy and Procedures. It will present you with a synopsis, but not the detail. You should still take the time to read the full Privacy Policy & Procedures.

5. Why do we have a Privacy Policy & Procedures? IT IS THE LAW T he Privacy Act requires all businesses with a turnover in excess of $3M to have a system to manage client information. and IT IS GOOD BUSINESS PRACTICE W e need clients to provide us with a substantial amount of information, some of it confidential (see “Sensitive Information”). They need to be confident that it is secure & will not be misused.

6. What does it apply to? All the “personal information” we collect. Personal information is information or opinion about an individual whose identity is apparent or can easily be ascertained. Sensitive information refers to a person’s racial or ethnic origin, political opinions, membership of a political, trade or professional association or a trade union, religious or philosophical beliefs or affiliations, sexual preferences, criminal record or health information.

7. Who is the Privacy Officer? A staff member who is appointed and fully supported by the board and/or senior management of our company. is senior, experienced and effectively trained to perform this important role. is responsible for the monitoring and adherence to our Policy & Procedures. acts quickly to prevent and rectify privacy breaches. keeps abreast of changes within the industry that effect our Privacy Policy. is given the role (PO) on our Organisation Chart

8. Privacy Promotion & Openness We make sure that all new and existing staff read Privacy Policy & Procedures. regularly discuss & review Privacy Issues at our Staff meetings. provide our Privacy Policy Statement to anyone who asks for information.

9. Recent Changes Changes from March 2014 Created by Privacy Enhancement Act Previously 10 National Privacy Principles Now 13 Australian Privacy Principles Overall increased privacy protection New fines and penalties apply

10. 13 Australian Privacy Principles 1. Open and transparent management of personal information 8. Cross-border disclosure of personal information 2. Anonymity and pseudonymity 9. Adoption, use or disclosure of government related identifiers 3. Collection of solicited personal information 10. Quality of personal information 4. Dealing with unsolicited personal information 11. Security of personal information 5. Notification of the collection of personal information 12. Access to personal information 6. Use or disclosure of personal information 13. Correction of personal information 7. Direct marketing

11. 1. Open and transparent management of personal information Manage Personal Information in an open and transparent way. Comply with the Australian Privacy Principles. Documented systems to handle privacy enquiries and complaints. Up to date and compliant Privacy Policy Statement Provide Privacy Policy Statement on request / website.

12. 2. Anonymity and pseudonymity Where practical we will allow customers to deal with us without requiring them to specifically identify themselves. This will usually be limited solely to providing simple product quotations and general queries.

13. 3. Collection of solicited personal information Only collect personal information that we need in a lawful and fair manner for the Primary Purpose(s) for: –Activities authorised under our Australian Financial Services Licence (AFSL). –Other services typically associated with our AFSL activities e.g. claims handling, premium funding etc. We do not collect or disclose sensitive information without the individual’s prior consent.

14. 4. Dealing with unsolicited personal information In some situations we may receive personal information that we have taken no active steps to collect. If and when we receive such information and it is not required by us as part of providing financial services to our clients we will de-identify or destroy such information as soon as practicable.

15. 5. Notification of the collection of personal information (1) When collecting information we must make the individual aware of: –When we collect information about individuals from various third parties, that we have collected such information and from where it was sourced. –The purpose of the collection –Consequences of not collecting the information. –Details of parties that we give the information to. –Information on how individuals can access and correct information.

16. 5. Notification of the collection of personal information (2) When collecting information we must make the individual aware of: –How individuals can make a complaint about a breach of the Privacy Principles. –Whether we will disclose information to overseas entities. –The countries where these overseas entities are domiciled (where practicable). All of this information is contained in our Privacy Policy Statement.

17. 6. Use or disclosure of personal information We only use or disclose personal information for: –activities authorised under our Australian Financial Services Licence (AFSL). –providing expected ancillary services typically associated with our AFSL activities e.g. claims handling, premium funding etc. In particular, we do not trade, rent or sell personal information.

18. 7. Direct marketing When direct marketing to clients we must include an Opt Out option every time. We do not charge for Opting out. Where clients request that we do not send them marketing material we must ensure that their file is marked accordingly and no further material is forwarded to them.

19. 8. Cross-border disclosure of personal information (1) We are responsible for and can be fined / penalised where we send /share/store information with an overseas entity that does not comply with the APP’s and a breach of privacy occurs. E.g. Lloyds of London syndicates or brokers and other overseas based product providers and intermediaries or in situations where we utilise “Cloud Computing” services that are situated outside Australia.

20. 8. Cross-border disclosure of personal information (2) Companies based in UK / EU / USA are OK. For other countries we need to make enquiries with supplier to verify arrangements are comparable to the APP’s. Maintain a table of such suppliers and our findings.

21. 9. Adoption, use or disclosure of government related identifiers We do not use tax file numbers / Medicare or other governmental identifiers to identify any person We collect, use and disclose identifiers of employees only where necessary to process payroll, tax, super etc.

22. 10. Quality of personal information We must ensure we take all reasonable steps to ensure the information we collect and use is accurate, up to date and complete.

23. 11. Security of personal information We take reasonable steps to protect the personal information we hold from misuse and unauthorised access, modification, interference (such as attacks on our computer system) and disclosure. We destroy or de-identify personal information when it is no longer needed.

24. 12. Access to personal information (1) In principle, we will provide a person with access to the personal information we hold about them on request. Confirm that the person requesting the information is who they claim to be. Provided free apart from reasonable costs. The Privacy Officer will be responsible for providing access to personal information. Provide the information by the most cost-effective and practical method available. Requests for access should be acknowledged within 7 – 10 days. Straightforward requests for access should be fulfilled within 14 days and if complex within 30 days.

25. 12. Access to personal information (2) We may refuse to provide access to personal information in the following circumstances: –The request is frivolous, vexatious, –Unreasonably impact on the privacy of others. –Legal proceedings against us by the person and the information would not be discoverable. –Prejudice our position in negotiations with person. –Where it is unlawful We must provide reasons & complaint process

26. 13. Correction of personal information If information in our records is incorrect, incomplete or out of date we must update the records within a reasonable time to make them accurate. If the records are inaccessible and no longer required, consider destroying or de-identifying the information If we do not agree that the information is inaccurate, incomplete or out of date, and if requested, attach to it a statement to the effect that the person to whom the information relates claims that it is inaccurate, incomplete or out of date. If requested we must advise Third Parties that we have provided incorrect information and to update their records. Refusals – Reason and Complaints process

27. In summary You should read the full Privacy Policy & Procedures. not discuss or share any information on a client unless it is directly connected to the provision of the services they have requested. promote our Privacy Policy to clients and other staff. Confirm the identity of any person requesting Personal Information from us. Notify your manager if you become aware of any breaches of security relating to information that we hold.

28. Where to from here? Please take the time to read our full Privacy Policy and Procedures and if you require further clarification discuss with our Privacy Officer.