Running a family business means understanding that trust isn't built through legal jargon—it emerges from how we actually behave when someone shares their financial details with us. Over three generations, we've learned that people remember how their information was treated far more than what any policy promised.
What follows isn't a compliance exercise. It's an honest account of what happens to the specifics you share when seeking financial advice, how we limit what we ask for, who can access it internally, and when it might leave our organization.
What We Actually Need From You
Financial planning requires real numbers and personal context. We can't build a viable strategy around vague estimates or incomplete pictures. But there's a difference between necessary detail and invasive questioning.
Identity and Contact Essentials
Your name, residential address, phone number, and email establish who you are and how we reach you. This sounds obvious, but it's worth stating: we don't request social media profiles, employment histories beyond income verification, or personal references unless a service specifically depends on them.
Financial Position Elements
Income sources, existing debts, asset holdings, and investment accounts form the core of any meaningful conversation about money. We record account numbers when setting up direct transfers or linking to financial institutions on your behalf. Tax file numbers appear only when legally required for reporting or when managing taxable investments.
Interaction Records
When you send an email, call our office, or submit a web form, those exchanges get logged. If you schedule a meeting through our booking system, that creates a record. We retain these not out of bureaucratic habit but because referring back to what was discussed six months ago often prevents misunderstandings.
Information arrives through several channels: forms you complete on our website, documents you email or upload, verbal details shared during consultations that we note down, and—occasionally—data pulled from third-party services when you've authorized the connection.
Why These Specifics Matter
The question isn't whether we need information—it's whether each piece serves a genuine purpose that benefits the person sharing it.
Service Delivery Functions
Providing financial advice means analyzing current circumstances, modeling scenarios, and tracking progress over time. None of that functions without accurate baseline data. Your details let us build cash flow projections, assess risk exposure, and recommend adjustments as circumstances shift.
Legal and Regulatory Obligations
Australian financial services legislation mandates certain record-keeping and reporting standards. Anti-money laundering rules require identity verification. Tax regulations demand specific documentation. We don't collect beyond these requirements, but we can't operate lawfully while ignoring them either.
Communication and Continuity
Sending appointment reminders, sharing updated documents, responding to queries, and maintaining ongoing advisory relationships all depend on having current contact information and context about previous discussions. This continuity particularly matters in a family business where relationships often span decades.
Security and Verification
Confirming that someone requesting account access is actually authorized prevents fraud. Logging access attempts helps identify unusual patterns. Security isn't about paranoia—it's about making certain that financial details reach only intended recipients.
When a purpose expires, so does our justification for retention. If you close your account and request deletion, we'll comply within the bounds of legal retention requirements—typically seven years for financial records under tax law.
Internal Access and External Movement
Information doesn't sit in a vault that only one person can open. Multiple staff members require access to perform their roles. What matters is limiting that access based on actual need and controlling when details leave our organization entirely.
Who Internally Can See What
Financial advisors working directly with you obviously need comprehensive access to your file. Administrative staff handling scheduling, document preparation, or billing see relevant portions but not your complete financial position. Technical staff maintaining our systems can access data structurally but aren't browsing client details without specific cause.
We don't implement elaborate permission hierarchies for theatrical effect. Restrictions exist because broad access creates both security risks and privacy concerns. Someone processing appointment confirmations doesn't need your investment portfolio details.
Operational Reality Check: In a family business, lines sometimes blur. A senior family member might technically have system access beyond their daily role. What prevents misuse isn't just technology—it's culture, oversight, and the understanding that violating client trust damages something built over generations.
When Information Leaves Our Organization
Financial services rarely operate in isolation. Third parties enter the picture under specific circumstances:
- Platform providers and custodians where your investments are actually held receive necessary details to execute transactions and maintain your accounts
- Technology vendors supplying our client management system, document storage, or communication tools process information as part of infrastructure—they're bound by contracts limiting use to service provision
- Professional advisors like accountants or solicitors receive information when you've engaged them through our referral or when collaboration benefits your financial strategy
- Regulatory bodies receive reports when legislation requires disclosure—typically related to tax reporting or financial services compliance
- Legal processes occasionally compel disclosure through subpoenas or court orders despite our preference to refuse
We don't sell client lists, rent contact information, or participate in data brokerage. Marketing partnerships involving client data don't exist in our business model. When third parties receive information, it's either with your explicit permission, as necessary for delivering the service you requested, or under legal compulsion.
Geographic Movement Considerations
Our operations remain within Australia, and we select service providers with local data storage where practical. Some technology platforms operate globally with data potentially touching overseas servers despite contractual commitments to Australian privacy standards. Cloud infrastructure doesn't always respect geographic boundaries as cleanly as we'd prefer. Where international transfer occurs, we verify that contractual protections and technical safeguards meet requirements under Australian privacy legislation.
Duration, Removal, and Control
Information doesn't need to persist indefinitely just because it once served a purpose. Retention should match actual necessity balanced against regulatory requirements.
How Long Things Remain
Active client files stay complete while the advisory relationship continues. After termination, we retain records for seven years—the period Australian tax law requires for financial documentation. Communication logs and transaction histories follow similar timeframes. Marketing preferences and contact details not connected to financial services can be removed immediately upon request.
Some information survives longer not from choice but necessity. Court orders, regulatory investigations, or disputes require retaining relevant records beyond standard schedules. Once those exceptions resolve, deletion proceeds.
Your Ability to Intervene
Seeing what we hold about you requires a straightforward request to our office. We'll compile the information within a reasonable period—usually within 30 days, though complex files occasionally need longer. You won't pay for access to your own information unless the request is unusually burdensome or repetitive.
Corrections happen when you identify inaccuracies. If details are wrong, tell us and we'll update them. If we disagree about accuracy, we'll note your objection within the file even if we don't change the entry.
Deletion requests get honored except where retention is legally required. Financial records typically can't be removed during the mandatory seven-year period. Marketing material subscriptions can be cancelled anytime. The distinction matters: some data lives in regulatory space, some in our preference.
Objections to processing—where you believe we're handling information inappropriately—trigger review. We'll either stop the activity, explain why it's necessary, or find an alternative approach. Regulatory obligations sometimes limit flexibility, but we'll clarify what's discretionary versus mandatory.
Practical Limits: Deleting information doesn't erase history. If you request removal after years of service, backups, archived emails, and third-party records won't vanish instantly. We'll take reasonable steps across systems we control, but perfect erasure is technically and legally complicated.
Protection Measures and Remaining Risks
Security isn't about achieving perfect invulnerability—it's about implementing reasonable protections and acknowledging that no system is completely breach-proof.
Technical Safeguards
Encryption protects data during transmission and when stored on our systems. Access requires authentication, and sensitive operations trigger additional verification. Firewalls, intrusion detection, and regular security updates form baseline infrastructure. We monitor for unusual access patterns that might indicate unauthorized activity.
Our technology vendors undergo security assessments before engagement. Contracts require them to maintain protections meeting industry standards. Physical security controls restrict access to facilities where information is stored.
Organizational Practices
Staff receive training on privacy obligations and information handling procedures. Clear-desk policies prevent leaving sensitive documents exposed. Device security requirements apply to anyone accessing client information remotely. We investigate incidents when they occur and adjust practices based on findings.
What Could Still Go Wrong
Despite precautions, risks persist. Sophisticated cyberattacks sometimes defeat defenses. Insider threats occasionally emerge despite vetting and monitoring. Human error leads to accidental disclosures. Third-party breaches affect data they hold on our behalf. Natural disasters or system failures could result in data loss despite backup systems.
We can't guarantee absolute security because absolute security doesn't exist. What we can promise is ongoing investment in protections, rapid response when issues arise, and honest communication about incidents affecting client information.
Legal Foundations and Jurisdiction
This policy operates within Australian privacy law framework, particularly the Privacy Act 1988 and Australian Privacy Principles. Financial services regulations add specific requirements through ASIC oversight and professional obligations under our Australian Financial Services License.
When we process your information, we typically rely on several legal bases simultaneously: contractual necessity for service delivery, legal obligations under financial services legislation, and—where neither applies—legitimate interests in operating our business effectively while respecting your rights.
Australian privacy law grants you enforceable rights around access, correction, and complaint. If you believe we've breached privacy obligations, you can raise concerns with us directly. If our response doesn't satisfy, you can escalate to the Office of the Australian Information Commissioner, which investigates complaints and can impose penalties for serious violations.
Questions and Concerns
Policies explain frameworks, but specific situations often need direct conversation. If something about how we handle your information concerns you or just doesn't make sense, talking to someone here usually resolves it faster than navigating formal complaint processes.