Privacy & Security (including APPs + TFN Handling)

Purpose & scope

We protect personal information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This note summarises how we collect, use, secure and dispose of personal information we handle while providing paraplanning services. There are specific rules for Tax File Number (TFN) information, which we follow in addition to the APPs.

What we collect

  • Only the information reasonably necessary to produce the agreed advice documents (e.g., fact-find details, strategy inputs, product/platform data).

  • We avoid collecting TFN information wherever possible and only handle TFNs where permitted and necessary for the stated purpose. We never adopt a TFN as our own identifier.

How we use and disclose information

  • Use: to scope, draft and quality-assure SOAs/ROAs and related paraplanning tasks.

  • Disclosure: to your practice contacts and (if relevant) licensee systems you authorise. We do not offshore or sell data.

  • Overseas disclosure (APP 8): we avoid it; if ever required, we will only proceed with your written instruction and ensure appropriate safeguards/contractual controls are in place.

Security controls (APP 11 — “reasonable steps”)

  • Access control & MFA: Microsoft 365 Business with multi-factor authentication; least-privilege access per client.

  • Encryption & segregation: encrypted storage; client-specific folders and naming; no TFNs in email subject lines or open text.

  • Transmission: secure file-transfer links or protected folders (no TFNs in standard email attachments).

  • Device & monitoring: hardened devices, auto-lock, patching, anti-malware; activity logging for access to client folders.

  • Retention & disposal: we keep records only as long as needed for the purpose and your instructions, then securely destroy or de-identify them unless an Australian law requires retention.

TFN handling (TFN Rule)

  • Collect TFN information only where authorised/necessary for a lawful tax-related function and via secure channels.

  • Use & disclose TFN information only for the purpose it was provided (or as required by law).

  • Store TFN information securely, restrict access to personnel on a need-to-know basis, and avoid recording TFNs in notes, emails or screenshots.

  • Destroy or de-identify TFN information when it is no longer needed for the authorised purpose and no legal retention duty applies.

Data quality, access & correction

  • We take reasonable steps to keep information accurate, up-to-date and complete, and we’ll correct it on request where appropriate (APPs 10, 12, 13). Contact us if you need access or a correction to information we hold.

Data breaches (NDB scheme)

  • We maintain an incident response procedure. If a breach is likely to result in serious harm, we will assess promptly and notify affected individuals and the Office of the Australian Information Commissioner (OAIC) where the Notifiable Data Breaches (NDB) scheme applies. We will also work with you to contain and remediate.

Third parties & sub-processors

  • We do not use offshore processors. Any Australian third-party tools (e.g., file-sharing) are assessed for APP-aligned security; contracts include confidentiality, purpose limitation and deletion on termination.

Your responsibilities (as the AFSL/practice)

  • Provide complete and accurate intake packs.

  • Avoid sending TFNs via email; if TFN information must be shared, use our secure channel and mark it clearly.

  • Tell us promptly if a correction is required or if you need a different retention period.

Contact

Questions or requests (access/correction/complaint): admin@levelupfinancialservices.com.au

Disclaimer: This is general information about our privacy and security practices and is not legal advice. For the APPs and TFN requirements, see the OAIC’s guidance.