The MaxCap Group of Companies (MaxCap) are committed to the protection of personal information obtained through dealings with investors and borrowers and to complying with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
What information does MaxCap collect and why?
Personal information includes information, or an opinion about, an identifiable individual or an individual who is reasonably identifiable. The information or opinion may or may not be accurate, and may or may not be recorded in a material form.
MaxCap collects personal information that is reasonably necessary to provide individuals with a range of financial, debt advisory and other services offered by MaxCap. It is also used in correspondence from MaxCap to individuals and to fulfil our legal obligations under applicable laws and regulations, for example, Anti-Money Laundering and Counter-Terrorism Financing obligations.
Examples of personal information that may be collected by MaxCap include:
- Date of birth
- Financial status
- Personal identification documents (e.g. drivers licence and passport details).
Disclosure of personal information
MaxCap may use and disclose personal information only for the primary purpose for which it is originally collected. MaxCap does not share personal information with any external parties unless permission for the disclosure has been provided by the individual, or as is required by law.
Collection of personal information
MaxCap will collect most personal information directly from individuals via dealings with borrowers and investors. In some instances, third parties may provide MaxCap with personal information, for example some banks may pass information along as part of due diligence processes. In such cases, MaxCap will take reasonable steps to ensure that individuals are aware of the collection of that information.
Storage of personal information
Personal information is stored in a manner that reasonably protects it from misuse, interference, loss and unauthorised access.
MaxCap use a range of physical and electronic security measures to reasonably ensure the protection of personal information.
Once personal information is no longer required, MaxCap will take reasonable steps to either permanently de-identify personal information or destroy it entirely. Generally, client files are kept for a maximum of seven (7) years.
Access to personal information
Individuals can request access to the personal information that MaxCap holds about them. Corrections can also be made to the personal information at the request of individuals. Individuals can arrange for access to their personal information by contacting MaxCap.
MaxCap may require evidence of your identity before access to personal information is granted, or corrections are made to personal information.
Privacy concerns and complaints
Individuals may make a complaint with regards to the handling of their personal information by contacting MaxCap.
The written complaint must be forwarded to the Compliance Officer and must specify the alleged breach.
The Compliance Officer will consider the complaint in conjunction with senior management of MaxCap and make a determination within 45 days and advise the individual of the determination in writing.
Should the Compliance Officer deem a breach has occurred, they will write to the directors of MaxCap outlining any action required to remedy or rectify the breach which must be acted on within 30 days.
If an individual is not satisfied with the response provided by the Compliance Officer, alternative avenues may be available to individuals including:
Notifiable Data Breaches
MaxCap is required to notify individuals and the Office of the Australian Information Commissioner about ‘eligible data breaches’.
An eligible data breach occurs when the following criteria are met:
• there is unauthorised access to or disclosure of personal information held by us (or information is lost in circumstances where unauthorised access or disclosure is likely to occur).
• this is likely to result in serious harm to any of the individuals to whom the information relates.
• we have been unable to prevent the likely risk of serious harm with remedial action.
We will conduct an assessment if it is not clear if a suspected data breach meets these criteria. The assessment will determine whether the breach is an ‘eligible data breach’ that triggers notification obligations.