CURRENT VERSION DATE: 24 OCT 2018
1. Who this covers?
Our core businesses of fund administration and securities registration are complemented by our expertise in digital solutions and data analytics.
At Link we collect personal information about you and are committed to protecting this information and your privacy. Set out below is an explanation of how we use, collect and safeguard your personal information. In some jurisdictions where Link operates, namely the European Union ‘EU’, these privacy rights also apply to employees.
3. What personal information do we collect?
In the valid discharge of its functions, Link may collect and/or hold the following types of information:
• personal information; and
• sensitive/special category information,
in relation to relevant individual contacts in investor, compliance and share registration functions, client and supplier personnel, and other individuals with which Link comes into contact.
These are explained in more detail below.
3.1. Personal Information
This includes information that meets the following descriptions:
• mailing and/or street address;
• email address;
• telephone number;
• profession, occupation or job title;
• details of the services an individual has acquired from Link or its clients or which an individual has enquired about, together with any information necessary to deliver those services and to respond to enquiries;
• any additional information relating to an individual, provided to Link directly or indirectly through any Link website or online presence or through Link representatives; and
• information provided to Link through its service centres, meetings with Link representatives or customer surveys.
Link may also collect personal information from individuals seeking employment with Link (including contractors and temporary staff) relating to their suitability as an employee as well as employees of Link, including:
• age or date of birth;
• marital status;
• insurance details (relating to superannuation and pensions);
• banking details;
• references from previous employers;
• employment suitability information obtained from recruitment agencies or related entities acting on Link’s behalf;
• information from law enforcement agencies, including whether or not the individual has a criminal record;
• information from other government entities or third party companies, such as organisations that conduct competency or psychometric tests; and
• educational or vocational organisations to the extent necessary to verify your qualifications.
Other information that may be collected by Link that is not personal information because it does not identify you or anyone else, includes anonymous answers to surveys or aggregated information about how users utilise any Link websites.
3.2. Sensitive / Special Category Information
Less commonly, but where necessary for the provision of a service or compliance with the lawful authority, Link may also collect sensitive / special category information including, but not limited to:
• Health information;
• Immigration status;
• Membership of a trade association and/or trade union; and
• Details published in Politically Exposed Person (PEP) lists, criminal watch lists, United Nations Sanctions lists and the Australian Department of Foreign Affairs and Trade lists or EU lists of a similar nature (for Anti-Money Laundering Counter-Terrorism Financing and Autonomous Sanctions purposes).
4. How do we collect personal information?
Link collects some personal information directly from you, or your authorised representative, when you or they interact with us. Link may collect personal information:
• through your access to, and use of, Link websites;
• during conversations between you and Link representatives;
• from written requests, including email;
• when you complete an application, either on line or hard copy, regarding any of the services or opportunities included in Link’s websites; or
• through your provision of identity documents such as drivers’ licence, passport, utility bills etc for the purpose of verifying your identity.
Link may also collect personal information about you from third parties, including:
• your employer;
• government agencies or regulators;
• companies that are clients of Link, managed investment schemes and other entities whose registers Link analyses on behalf of those entities;
• other service providers;
• publicly available sources.
Link will only collect special category/sensitive information about a person with the consent of the individual, except where Link is required or permitted by law to collect such information without consent.
5. Why do we collect your information?
Link collects personal information about you so that we can provide services to you or our clients, including for the following purposes:
• to send you communications (on your request, or if we have a legitimate interest to keep you informed);
• to update records and keep your contact (and other) details up-to-date (on your request or otherwise in accordance with our legitimate interest to keep our records up to date);
• to answer your enquiries and provide information or advice about existing and new services (where we have a legitimate interest to deal with you properly and keep you informed);
• to process and respond to any complaints you may make (where we need to comply with an obligation we have to you, or otherwise in accordance with our legitimate interest to deal with issues);
• to provide you with access to protected areas of our websites (where we need to comply with an obligation we have to you, or otherwise in accordance with our legitimate interest to run our services efficiently);
• to assess the performance and improve the operation of our websites (in accordance with our legitimate interest to manage our sites efficiently);
• to conduct processing functions including providing new and updated personal information to our related bodies corporate, contractors, service providers or other third parties as part of contracted duties on behalf of those entities (in accordance with our legitimate interest to run our services efficiently);
• for the administration, marketing (including direct marketing), product or service development, quality control and research, as required by Link and our related bodies corporate, contractors or service providers (in accordance with our legitimate interest to run our business efficiently); and
• to comply with any other law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or where a government authority makes recommendations that are not mandatory but which we elect to follow (where we need to comply with law, or otherwise in accordance with our legitimate interest to deal with issues appropriately).
If you do not provide Link with the personal or sensitive /special category information described above, some or all of the following may happen:
• Link may not be able to provide services to you, either to the same standard or at all;
• we may not be able to provide you information that you may want, including information about services or special promotions;
• we may not be able to tailor the content of our websites to your preferences and your experience of Links’ websites may not be as positive or useful to you;
• we may not be able to offer you employment with Link; or
• you may be subject to additional taxation or your assets or entitlements could be transferred to various relevant regulator or revenue offices.
6. How do we use your personal information?
We will use the information we hold about you for the following purposes:
• To provide you with the services, products, and/or information you request from us (where we have your consent, or need to comply with an obligation we have to you, or otherwise in accordance with our legitimate interest to deal with issues efficiently);
• To check your identity (where we need to comply with a legal obligation we have, or otherwise in accordance with our legitimate interest to run our business properly);
• To assess any application you make to participate in any service we provide (where we need to comply with a legal obligation we have, or otherwise in accordance with our legitimate interest to run our business properly);
• To prevent and detect fraud and/or money laundering (where we need to comply with a legal obligation we have, or otherwise in accordance with our legitimate interest to run our business properly);
• So that we or our clients can communicate with you as necessary (where we have your consent, or need to comply with an obligation we have to you, or otherwise in accordance with our legitimate interest to deal with issues efficiently);
• To carry out analysis about our services and how we might improve them (in accordance with our legitimate interest to develop our business and services); and
• To notify you about changes to our services (in accordance with our legitimate interest to keep you informed).
Generally, most information received by Link is immediately and automatically recorded (i.e. most telephone calls are electronically recorded and most documents received are scanned into an electronic image.) This is necessary because Link is a trusted third party record keeper, providing technical, administrative, support and/or financial services involving day-to-day money and security asset movements, where imprecise record keeping may have significant adverse consequences.
7. Who do we share personal information with?
Personal information held by Link will only be used for purposes directly related to one or more legitimate functions or activities of Link in the provision of its services or as otherwise permitted by law.
Link may disclose your personal information to:
• Any member of Link which means our subsidiaries, our ultimate holding company and its subsidiaries (from time to time) as necessary to provide you with services or to fulfil our contract with you (in accordance with our legitimate interest to run our business efficiently);
• our employees as required in order to use your information as set out in section 6 of this policy;
• issuers of securities for whom we are contracted to provide ownership analytics and governance advisory services or other services (in accordance with our legitimate interest to provide analytics services);
• contractors or service providers, for the purposes of the operation of Link’s business or websites (in accordance with our legitimate interest to run our business efficiently);
• third parties, in order to fulfil requests by you, and to otherwise provide services to you (e.g. insurers and identity verification) (where we have your consent, or need to comply with an obligation we have to you, or otherwise in accordance with our legitimate interest to deal with issues efficiently);
• IT systems administrators, web hosting providers, mailing houses, couriers, payment processors, data entry service providers, electronic network administrators, debt collectors (in accordance with our legitimate interest to run our business efficiently);
• professional advisors such as accountants, solicitors, business advisors and consultants (in accordance with our legitimate interest to run our business appropriately);
• suppliers and other third parties with whom Link has a commercial relationship, for business, marketing, and related purposes (where we have your consent, or otherwise in accordance with our legitimate interest to deal with issues efficiently);
• government organisations with statutory responsibility to regulate various areas of our business operations (in accordance with our legitimate interest to run our business in a compliant manner);
• law enforcement agencies (in accordance with our legitimate interest to run our business in a compliant manner); and
• any organisation for any authorised purpose with your consent.
In some cases, Link may be required to disclose your personal information without your consent. Specific instances include where:
• we are required or authorised by law. For example, where an entity is subject to a statutory requirement to report certain matters to an agency or enforcement body; or
• a warrant or notice issued by a court requires Link to produce records or documents we hold.
Where we refer to our “legitimate interests”, we mean our interests in managing our services and our relationship with you. We will make sure that we take into account any potential impact that such use may have on you. Our legitimate interests will not automatically override your interests, and we won’t use your information if we feel that your interests override ours, unless of course you provide your consent, or we have a contractual or legal obligation to use your information in that way. If you have any questions or concerns, please contact us using the details set out below.
8. Direct marketing materials
Link may send you direct marketing communications and information about its services or those of its clients that Link considers may be of interest to you. These communications may be sent by mail, SMS, fax and email, in accordance with applicable Australian marketing laws, such as the Spam Act 2003 (Cth) and applicable EU directives such as the Directive on Privacy and Electronic Communications. If you indicate a preference for a method of communication, Link will endeavour to use that method whenever practical to do so. In addition, you may opt-out of receiving marketing communications from Link at any time by:
• contacting us (see details below), or
• using opt-out facilities provided in marketing communications.
Link will then take all reasonable steps to remove your name from the mailing list.
Link does not provide your personal information to any other organisations for the purposes of direct marketing.
9. Does Link disclose your personal information to anyone outside Australia?
As part of providing services to you and in Link’s capacity as a controller and / or processor, occasionally personal information may be stored or processed at locations outside Australia.
Link may disclose personal information to corporate and third party suppliers, service providers and regulators located overseas for some of the purposes listed in section 6 above.
Link takes all reasonable steps to ensure that the overseas recipients of your personal information do not breach any privacy obligations (including the Australian Privacy Principles and GDPR requirements) relating to your personal information.
Link may disclose your personal information to entities located outside of Australia, including to data hosting organisations, IT service providers, and other third party vendor/suppliers that are located overseas. At the date of this policy, the countries that Link discloses information to include: Canada, China (Hong Kong), France, Germany, India, Luxembourg, New Zealand, Papua
New Guinea, South Africa, Switzerland, the Philippines, the United Kingdom, the United States of America, and United Arab Emirates. In each of these instances, Link has relevant agreements and contracts with entities operating in these countries to ensure the security of your personal information as well as compliance with relevant data protection requirements.
10. How do we keep your information secure?
Link will take all reasonable steps to ensure your personal information is protected from misuse, loss and unauthorised access, modification or disclosure in accordance with statutory requirements. This includes having security measures and controls in place to protect personal information including limiting access, cryptography, physical and environmental security and audit monitoring.
Link may hold your information in either electronic or hard copy form, and will destroy or de-identify personal information when it is no longer required or when we are no longer required by law to retain it (whichever is the later). In order to maximise the protection of data within our control, the following industry aligned best practice information security controls have been implemented:
• Information Security Management System certified to an international standard, e.g. ISO27001
• Firewalls on the network perimeters,
• DMZ to separate the internet from our internal network,
• Web Application Firewalls (WAF) protecting the Web based application systems,
• Intrusion Prevention Systems (IPS) on the network perimeter,
• Data Loss Prevention (DLP),
• Data Access Monitoring (DAM) on internal database platforms,
• Secure-System Development Lifecycle (s-SDLC) controlling the internal developments,
• Log Management and monitoring,
• Monitoring of Vendor Alerts,
• Penetration Tests and Vulnerability Assessments (Tenable Nessus) run against the OWASP Top 10 and SANS25 of all externally facing systems;
• The 24/7 managed IPS solution incorporates threat modelling and intelligence services including DDoS alerting and prevention as do the firewalls.
• Anti-virus protection with regularly updates virus-definition data,
• Application of available patches through regular patching cycles.
As Link websites are grouped to the internet, which is inherently insecure, Link cannot:
• provide any assurance regarding the security of transmission of information you communicate to us online; or
• guarantee the information you supply will not be intercepted while being transmitted over the internet.
Accordingly, any personal or other information which you transmit to Link online is transmitted at your own risk.
11. How long will we store your information for?
We generally hold your personal data on our systems for as long is necessary to provide Services and/or perform our contract. This can be up to ten years from the date you cease to use the Services or the termination of our Agreement in order to allow us to refer to your information in correspondence with you, or in connection with legal or regulatory proceedings. In some EU jurisdictions, the retention period may be greater than ten years. In these cases, Link will ensure that records are not retained for any period longer than required or prescribed by law.
12. Your rights
• Right of access – you have the right to know if we are using your information and, if so, the right to access it and information about how we are using it (see section 13 for more information).
• Right of rectification/correction – you have the right to require us to correct any errors in the information we hold about you (see section 13 for more information).
• Right to erasure – In some cases, you will have the right to require us to delete your information if our continued use is not justified.
• Right to restrict processing - in some cases and circumstances, although you may not be entitled to require us to erase your information, you may be entitled to limit the purposes for which we can use your information.
• Right of data portability – In some cases where we are relying on consent to use your information, you have the right to require us to provide you with a copy of your information in a commonly used machine-readable format or to transfer your information directly to another controller (e.g. a third party offering services competing with ours).
13. How can you access and correct your personal information?
You may request access to any personal information Link holds about you at any time by contacting us (see the details below). Where we hold information that you are entitled to access, we will try to provide you with a suitable means of accessing it (for example, by mailing or emailing it to you).
There may be instances where Link cannot grant you access to the personal information it holds, for example, if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality or a breach of legislation. If that happens, we will generally give you written reasons for any refusal.
If you believe that personal information Link holds about you is incorrect, incomplete or inaccurate, then you may ask us to amend that information. We will then consider if the information requires amendment. If we do not agree that there are grounds for amendment then we will add a note to the personal information stating that you disagree with it.
14. How do Link websites use my Internet Protocol (IP) address and collect cookies?
Each time you use our websites, we will automatically collect certain technical information, including the type of browser you use, the Internet Protocol (IP) address used to connect your computer to the internet, and information about your visit, including the full Uniform Resource Locations (URL), clickstream to, through and from our sites, traffic data and other communication data, the resources that you access, and the information derived from the cookies we place on your mobile device and/or computer. In order to improve the quality of our website and services, we may from time to time send your computer a "cookie". Cookies are text files that identify your computer to our server and are stored on your device. Cookies in themselves do not identify the individual user, just the computer used. Cookies enable us to improve your user experience by avoiding the need for you to enter the same information more than once. They also allow us to analyse user behaviour to improve the functionality and performance of our website.
We comply with the EU cookie regulations as introduced in the UK on 25 May 2011 through the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. There are two types of cookies that can be stored on your device:
• "session cookies", which only last for the duration of your visit to our website and are automatically deleted from your device when you close your browser; and
• "persistent cookies", which remain on your device after you have visited our website and are not deleted when you close your browser. Persistent cookies are sent back to our server every time you visit our website.
We make use of session cookies, which are essential to maintain security throughout the site, and are not used for tracking purposes. Session cookies are used to help us remember your movements from page to page, avoiding the need for you re-enter the same information. Session cookies are held in memory and expire when you leave our website.
We never gather other information from your disk or computer. We will collect a copy of the data held by the cookie from inclusion in any analysis. We use full SSL protocols when collecting visitor information on secure pages; this ensures that the site’s security is not compromised. We encrypt all transmitted visitor information (even from non-secure pages), so no-one else can read the information we gather. None of the cookies used on our websites collect, record or store personally identifiable information about you.
By continuing to use our websites, you are consenting to us placing session cookies on your device for the purposes detailed above. Most users will be able to adjust their internet settings to accept all cookies, to notify them when a cookie is issued, or not to receive cookies at any time. The last of these, of course, means that certain personalised services cannot then be provided to that user. Please note that the websites to which our sites may be linked may also make use of their own cookies. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our sites.
15. Following links from our websites
Our site may contain links to other sites. Such other sites may also make use of their own cookies and will have their own privacy policies. You should carefully review the privacy policies and practices of other sites, as we cannot control or be responsible for their privacy practices. We do not accept any liability for the privacy practices of such third party websites and your use of such websites is at your own risk.
Email: [email protected]
Post: Attn: Privacy Officer
Locked Bag A14
Sydney South NSW 1235
Telephone: + 61 1800 502 355 (free call within Australia)
9am–5pm (Sydney time), Monday to Friday (excluding public holidays),
Link has an established internal dispute resolution system in place to efficiently manage enquiries and complaints. We encourage individuals wishing to make enquiries or lodge a complaint about how Link handles personal information to do so. At first instance, your enquiry or complaint should be addressed to Link directly, via the details provided above.
If you are not satisfied with our response, or believe we are not processing your personal information in accordance with the law, you may complain to your relevant supervisory authority.
Office of the Australian Information Commissioner