Introduction
Tilbrook Rasheed Pty Ltd and those entities controlled by Tilbrook Rasheed Pty Ltd, being Tilbrook Rasheed Services Pty Ltd, TR Financial Services Pty Ltd, Tilbrook Rasheed  Audit Services Pty Ltd and Tilbrook Rasheed (together, ‘Tilbrook Rasheed‘ ‘TR‘) (referred to below as “we,” “us,” and “our“) respect and are committed to protecting our clients and their nominated contacts and representatives (including trustees, company directors / officers, spouses and dependents) and handling personal, sensitive and special categories of information in an open and transparent way.

This Policy outlines the obligations TR has in managing and protecting the personal information we collect, hold, use, and store about our clients, potential clients, contractors, and others, in order to comply with the Privacy Act. The Privacy Act does not apply to acts or practices that are directly related to employee records of current or former employees, however, it does apply to applicants for positions with us and our clients, where we provide our clients with recruitment services. ‘Personal information’ is information or an opinion relating to an individual which can be used to identify that individual.

We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles set out in that Act. We also maintain an internal privacy policy, engagement letters and standard terms and conditions governing the delivery of professional services which also describe how we handle personal, sensitive and special categories of information. By providing your personal information to TR you are agreeing to bound by our Privacy Policy. If you have any questions or concerns regarding this privacy statement, please contact the Privacy Officer using the contact details below.

1. Information we collect
The main types of information we may collect and hold depends on the nature of our engagement with you. Personal information we collect may include, but is not limited to, personal information relating to you, your spouse and dependants regarding:

• Names, dates of birth, place of birth, gender, job titles, telephone numbers, address details, other contact information, and your relationship to a person;
• Information in identification documents (for example: passport or driver’s licence);
• Tax file numbers and other Government-issued identification numbers;
• Details of your financial circumstances, including bank account details, your assets and liabilities (both actual and potential), income, expenditure, insurance cover and superannuation;
• Educational qualifications, employment details and employment history, salary and referee reports;
• Visa or work permit status;
• Your Internet Protocol (IP) addresses and email addresses;
• Details of your investment preferences and aversion or tolerance to risk (if a wealth advisory client);
• Information in relation to:
  • clients, business associates and potential clients and their employees
  • suppliers and their employees
  • prospective employees
  • contractors, and
  • other people who encounter us.

We may also collect sensitive and special categories of personal information directly from clients to provide professional services. The types of special categories of personal and sensitive information that we may collect includes, but is not limited to, health records, information regarding racial or ethnic origins, criminal convictions, membership of a political association or membership of a trade union and other records of correspondence and interactions with us.

Sensitive and special category information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or where certain other limited circumstances apply (e.g. where required by law).

In some instances, it may be necessary to collect personal, sensitive, and special categories of information from clients that relates to their employees, members, customers, third parties, their spouse and dependants to provide professional services. In those circumstances we rely on clients to only provide us with information that they have handled in accordance with the Privacy Act, including obtaining any necessary consent for TR to collect, use and disclose that information.

We may also collect personal information from suppliers, contractors, and third-party service providers to operate our business such as contact details and account details.

We may also collect personal information that is publicly available.

As a provider of accounting, business, and taxation advisory services we are subject to certain legislative and regulatory requirements which necessitate us obtaining and holding detailed information which personally identifies you and/or contains information or an opinion about you.

2. How we collect and manage personal information

2.1 Collection of personal information
We collect personal information in several different ways, for example:

• directly from you when you engage with us or we engage with you via face-to-face meetings, virtual meetings or over the phone;
• through correspondence with us or when you subscribe electronically to our publications;
• you provide it to us via business cards;
• a third party provides it to us, for example, a report provided by a medical professional, fund manager, superannuation, ATO, ASIC, ABR and other product issuers; or
• reference from another person, your personal representative or a publicly available record.

2.2 Your rights in relation to your personal information
You have the right to make general enquires about the services we provide, while remaining anonymous and therefore provide either little or no personal information, however without the personal information we request, we will be unlikely to be able to provide our services to you.

You have a right to refuse us authorisation to collect information from a third party.

2.3 Where you provide us with personal information about someone else
From time to time you may provide us with someone else’s personal information, e.g. your family group and your associates. You must not do this unless you have their consent to do so. You should also take reasonable steps to inform them of the matters set out in this Privacy Policy.

There may be times when we receive personal information that we do not solicit. If this occurs we will determine if you have given your consent and the information is necessary for us to provide our services, or whether the collection is required or authorised by or under an Australian law or a court/tribunal order. If it is, the information will be dealt with in accordance with the Australian Privacy Principles as if the information had been solicited. If it is determined that we should not have obtained this information, we will destroy or de-identify the information as soon as practicable, provided it is lawful and reasonable to do so.

2.4 Website collection of personal information
As a visitor to our website https://trca.com.au/, we may collect certain information about your visit automatically. This information may include your IP address, web browser, device type and operating system. Using Google Analytics, we may also gather data on the pages you view, the links you click, and the duration of your visit. This information is used specifically to understand and enhance your online experience with our website.

If you choose to provide personal information voluntarily through our website’s contact forms, such as your name, email address, or attachments, we will only use this information for the purpose specified, such as responding to your inquiries or providing requested services.

We do not sell, rent, or otherwise disclose your personal information gathered in these ways to third parties, except as required by law or with your explicit consent.

While navigating our website, you may encounter links to third-party websites that are not governed by our privacy policies and procedures. If you decide to access these links, we recommend reviewing the privacy policies of those websites directly to better understand their data handling practices.

3. Purposes for collecting, holding, using, and disclosing personal information

3.1 Use
We collect, hold, use, and disclose personal, sensitive, and special categories of information to provide agreed services to our clients and to operate our business, and all purposes related to the agreed services. We will only use your information for the purposes for which it was collected for, if this use would be reasonably expected by you, or otherwise, with your consent.

We also use the information to manage potential conflicts of interest and independence obligations.

We may also use personal information to send promotional materials, or communications regarding services provided by us that we feel may be of interest. We may also seek feedback on our services or for market or other research purposes.

Personal information may also be used to protect our rights and that of our users and, where appropriate, to comply with legal process.

3.2 Disclosure
In the delivery of professional services, we may disclose personal, sensitive and special categories of information to other organisations where they are providing related services. Where this is to occur, and where possible, we may seek prior approval to do so.

TR may also be required to disclose personal and sensitive information to law enforcement, regulatory, or other government agencies, or to other third parties, to comply with legal or regulatory obligations or requests.

Information provided to third-parties will be dealt with in accordance with that entity’s privacy policy.

Where you engage us to attend to your tax affairs we will assume (unless you advise otherwise) that you have specifically authorised us to deal directly with the Australian Tax Office (ATO) and the New Zealand Inland Revenue regarding day to day type matters. If, in the course of our dealings with these bodies, they request information regarding you that we believe is outside of such matters, e.g. tax office audit, we will request your specific authority before complying with their request.

In performing our services, it may be necessary in certain limited situations to send your personal information to external service providers outside of Australia, in the United States, Singapore, India, the Philippines, New Zealand, and other countries. In this case we will take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

4. Outsourced Service Providers and Data Transfers
Tilbrook Rasheed is committed to protecting the privacy and confidentiality of personal information. We take reasonable steps to ensure that our employees and any third-party service providers respect the confidentiality of the personal information we hold.

In providing our services, we may disclose personal information to third-party service providers located outside of Australia. These disclosures are necessary for the efficient and effective administration of our services. The types of third-party service providers we may engage include, but are not limited to, accountants/bookkeepers and administrative support, and IT managed service providers.

The countries to which we may transfer personal information include, but are not limited to, the Philippines, India, New Zealand, the United States, Canada, the United Kingdom, Vietnam, Hong Kong, Singapore, South Korea, and the Netherlands.

We take such steps as are reasonably necessary to ensure that any overseas recipients handle personal information in a manner consistent with the Australian Privacy Principles.

These steps may include:

• conducting due diligence to ensure that overseas recipients have robust data protection measures in place.
• implementing contractual agreements that obligate the overseas recipients to adhere to privacy standards equivalent to those required under Australian law, and.
• regularly reviewing and auditing the data protection practices of overseas recipients to ensure ongoing compliance.

Additionally, there may be circumstances where the disclosure of personal information is required or authorized by Australian law, a court/tribunal order, or where you have given your direct consent.

If you have any questions or concerns about our privacy policy or how your personal information is handled, please contact our Privacy Officer.

5. Cloud Computing Services
Tilbrook Rasheed uses some cloud-based computer services for its own internal use and for some client service functions. Prior to Tilbrook Rasheed utilising any cloud-based software programs, we conduct a thorough due diligence review of the providers, including who they are, what and how they provide their services, and how and where data is stored, protected, and backed up to reasonably ensure they have the appropriate privacy policies to manage those risks.

Where Tilbrook Rasheed directly engages those cloud computing service providers, we are then covered under the respective third-party’s own privacy policy. The cloud-computing services we use who, depending on your engagement with us, may or may be used to assist deliver our services to you, with links to their privacy policy, are as follows:

• MYOB – https://www.myob.com/au/privacy-policy
• Xero – https://www.xero.com/au/about/legal/privacy/
• Reckon – https://www.reckon.com/au/policies/privacy/
• Class – https://www.class.com.au/wp-content/uploads/2019/03/Class.public.Privacy-Policy.Version-20190325.pdf
• Microsoft 365 – https://privacy.microsoft.com/en-us/privacystatement
• Adobe – https://www.adobe.com/au/privacy/policy.html
• Dropbox – https://www.dropbox.com/privacy
• BGL – https://www.bglcorp.com/wp-content/uploads/2023/10/BGL-Group-Privacy-Policy-and-Data-Collection-Statement-21-Sep-23-2.pdf
• FYI – https://fyidocs.com/privacy/
• FuseWorks – https://www.fuse.work/privacy-policy/
• iPracticeApps – https://ipracticeapps.com/privacy-policy
• ASF Audit – https://asfaudits.com.au/privacy-policy
• Accurium – https://www.accurium.com.au/privacy-policy

6. Information Security
We have in place reasonable commercial standards of technology and operational security to protect all information provided from misuse, unauthorized access, disclosure, alteration, or destruction for example by use of physical security and restricted access to electronic records, swipe cards to building, security bins, firewalls, the use of encryption, passwords and digital certificates.

Our employees are required to respect the confidentiality of personal information and the privacy of individuals, and privacy and data protection training is undertaken. All employees are required to read this policy and understand their obligations regarding personal information.

The transmission and exchange of information is carried out at your own risk. We cannot guarantee the security of any information that you transmit to us or receive from us. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that personal information that we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy.

We will retain your personal information only as long as necessary to fulfil the purpose for which it was collected, as required by law and the Australian Privacy Principles, or in accordance with our documentation retention policies.

7. Holding Personal Information
We hold personal, sensitive and special categories of information in hard copy and electronic formats (including cloud-based solutions). We have in place reasonable commercial standards of technology and operational security to protect the information we hold.

8. Gaining access to personal information we hold
You may access your personal, sensitive and special categories of information, which we hold, and seek to correct that information where necessary. Your access to this information is subject to the exceptions set out in the Privacy Act.

These exceptions would include where:

• it is a frivolous or vexatious request
• information relates to a commercially sensitive decision-making process
• access is unlawful
• information would prejudice enforcement activities relating to criminal activities and other breaches of law,
• unreasonable impact on the privacy of other individuals, or
• denial of access is required or authorised by or under law.

If access is denied we will explain why it is denied.

To request access to or correct your personal information, you can contact TR’s Privacy Team (privacy@trca.com.au). We will require you to verify your identity and to specify what information you require. A reasonable fee may be charged for providing access.

9. Changes to our Privacy Statement
We may modify or amend this privacy statement from time to time as required, and at our discretion, and may be supplemented or amended by privacy statements that are specific to certain areas of this website (e.g. recruitment, social media etc). When we make changes to this statement, we will amend the revision date at the top of this page. You will be notified of any amendments to this Privacy Policy by posting an updated version to our website and accordingly we encourage you to periodically review our website and our policy to be informed about how we are protecting your information.

10. Children’s Privacy Protection
We understand the importance of protecting children’s privacy in the interactive online world. Our website is not designed for or directed at or intentionally targeted at children 13 years of age or younger. It is not our policy to intentionally collect or maintain information about anyone under the age of 13, except as part of a specific engagement to provide services which necessitates such personal information be collected, for the purposes of ensuring compliance with our auditor independence policies, or as otherwise required by law

11. Keeping Personal Information Current
If you believe that any personal information TR has collected about you is inaccurate, not up-to-date, incomplete, irrelevant or misleading, you may request correction. To do so, please contact TR immediately and we will take reasonable steps to correct it in accordance with the requirements of the Privacy Act.

12. Questions & Complaints
If you have any questions or concerns regarding your privacy, or you would like to make a comment on the effectiveness of this policy, please direct them to the Privacy Officer at:

Privacy Officer
Tilbrook Rasheed Pty Ltd
GPO Box 1243
ADELAIDE SA 5001
Phone: +61 (08) 8378 9500
Fax: +61 (08) 8378 9599
privacy@trca.com.au

For all other enquiries, please contact us at:

Tilbrook Rasheed Pty Ltd
GPO Box 1243
ADELAIDE SA 5001

We will endeavour to reply to you within 30 days of receipt of your complaint and, where appropriate, will advise you of the general reasons for the outcome of the complaint. If you believe that the Privacy Officer has not adequately handled your query or issue, you may refer your complaint to the Complaints Officer whose contact details are as follows:

Complaints Officer
Quality & Risk
Tilbrook Rasheed Pty Ltd
GPO Box 1243
ADELAIDE SA 5001
Phone: +61 (08) 8378 9500
Fax: +61 (08) 8378 9599
complaints@trca.com.au

If you believe that Tilbrook Rasheed has not adequately handled your privacy complaint, you may refer your complaint to the Office of the Australian Information Commissioner whose contact details are as follows:

Office of the Australian Information Commissioner
GPO Box 5288
Sydney NSW 2001
1300 363 992
foi@oaic.gov.au

13. Additional Information
For further information about privacy and the protection of privacy, visit the Office of the Australian Information Commissioner’s website at www.oaic.gov.au.

Policy Review
Annual Review due: July 2025