Navigating client confidentiality: Best practices in privacy

Financial institutions collect, process, and handle many personal details about their clients, including identification information, bank account numbers, biometric data, transaction history, and more.

Understanding client confidentiality and protecting privacy is imperative, as it helps build trust and assists with necessary legal compliance. 

What is client confidentiality?

Client confidentiality refers to the ethical and legal obligation to keep clients’ information private and secure from unauthorised access.

Examples of personal information financial professionals might collect from clients include:

• Full names, birthdates, and identification details
• Addresses, work information, phone numbers, and contact details
• Passwords, login credentials, and account information
• Internet browsing data and purchase histories
• Biometric data, like fingerprint scans or face-recognition
• Bank and financial information, like credit card numbers and bank account details
• Insurance information details
• Tax identification numbers and relevant tax documents

Because of the sensitive nature of such information, client confidentiality is a cornerstone of the financial industry, as it helps build and maintain trust between clients and service providers. 

Best practices for protecting client privacy

Financial professionals should follow specific best practices to protect client confidentiality and personal information. 

Implementing these best practices helps your business comply with essential laws that regulate the collection, use, and sharing of personal information in the finance industry.

Compliance with legal frameworks

Your data collection practices must comply with applicable laws depending on where your financial services are located, like the Australian Privacy Act 1988 or the New Zealand Privacy Act 2020.

Consequently, under such laws, you must ensure the information you collect is accurate, restrict who you disclose it to and who has access to it, and implement adequate safety measures to keep it secure from unauthorised breaches. 

Data minimisation

While collecting specific client data is necessary for financial institutions, it’s important to focus on data minimisation and only track what’s essential.

Not only is this required by privacy laws, but it also helps reduce the risk of a data breach, something financial institutions often fall victim to. 

Publish a comprehensive privacy policy

All financial professionals should post a comprehensive privacy policy on their website and any available apps — this is often a legal requirement and shows clients you are transparent and prioritise protecting their privacy.

Your privacy policy must include details about:

• What personal data you collect, and why
• How you collect and use the information
• If you share it with any third parties, and if so, who those third parties are
• What rights clients have over their information, and how they act on them
• Your contact information

Fortunately, many resources exist to help simplify making one of these legally necessary policies, like using a reputable privacy policy generator. 

Client consent and notification

When financial institutions proactively seek client consent and provide clear notifications about how they use personal information, it enhances client trust.

Appropriate client consent is also necessary to comply with Australian and New Zealand privacy laws.

For example, obtaining cookie consent may be necessary, as internet cookies often collect information that legally qualifies as personal information. 

Limit data access

One key aspect of protecting client privacy is limiting who has access to their personal information only to those who are properly trained, authorised, and necessary.

Additionally, you should apply access limitations to digital information and any physical files or documents you may have.  

Data retention and disposal

Retaining client data only for as long as necessary helps financial institutions prevent identity theft, fraud, and other cybersecurity risks. 

Also, if data privacy laws apply, you may be legally obligated to dispose of client information as soon as it’s no longer needed. 

Review and update policies and practices

Firstly, it’s essential to review and update your legal policies and practices regularly. Consequently, this helps ensure the information you present to clients remains accurate, up-to-date, and legally compliant.

Additionally, have protocols for updating documents, and don’t forget to review items like your disclaimers and terms and conditions agreement. 

Implement security measures

Firstly, you must implement reasonable security measures to protect personal data collected from clients. 

As a result, some possible security measures you might implement include: 

• Data encryption
• Multi-factor authentication for portfolios or accounts
• Performing regular security audits and privacy compliance checks
• Using secure servers to store personal data with offsite backups
• Firewalls and intrusion detection programs
• Establishing an incident response plan
• Training clients and employees about protecting personal data 

How do privacy laws impact client confidentiality?

Many laws and rules impact how financial service organisations protect the integrity and confidentiality of client data.

Consequently, understanding how these laws affect your business is essential for legal compliance.  

Australian privacy laws

When handling customer data, financial services are impacted by several specific Australian laws and regulations, including the following:

• Privacy Act 1988: This data protection law regulates how covered entities handle personal information and requires a privacy policy outlining all personal information practices. 
• The Australian Privacy Principles (APPS): These 13 principles create a framework that describes obligations for collecting, using, and disclosing personal information and outlines individuals’ rights over their data. 
• Consumer Data Right (CDR): This initiative mandates certain data sharing by Australia’s major banks, introducing open banking to the country and outlining specific privacy safeguards that services must follow to protect personal data.  
• Privacy (Tax File Number) Rule 2015: Under this rule, entities that collect, use, or disclose tax file numbers (TFNs) can only use them or disclose them to facilitate the administration of taxation law.
• Australian Prudential Regulation Authority (APRA) Standards: Financial service organisations must follow obligations and requirements outlined by APRA, specifically impacting data security and management.
• Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Rules: Financial services must comply with identity verification obligations under AML/CTF rules while balancing customer confidentiality. 

Banks in Australia are also subject to common law and contractual duties. For instance, this includes keeping customer information confidential, including consent, compulsion of law, and duty to the public. 

New Zealand privacy laws

For New Zealand financial institutions, the following laws impact how you should handle client privacy and confidentiality:

• Privacy Act 2020: Covered entities, including financial services, must only collect personal information for lawful purposes and use it in a way consistent with the reason for its collection. You’re also obligated to follow security measures to keep that data safe. 
• Information Privacy Principles (IPPs): The 13 IPPS dictate how entities should manage personal information and include guidelines for storage limitations, security controls, access and correction rights, and more. 
• Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act): Financial professionals must balance compliance with privacy laws with the AML/CFT Act, which involves conducting due diligence on customers while handling data securely and confidentially. 

Building integrity and trust

Maintaining client confidentiality is an essential component, both for legal purposes and to foster integrity and trust. 

Finally, by implementing best practices like presenting clients with consent choices, a privacy policy, minimising data collection, and limiting access, your business will be better prepared to protect the privacy of your clients. 

---

Information provided in this article is of a general nature and does not consider your personal situation. It does not constitute legal, financial, or other professional advice and should not be relied upon as a statement of law, policy or advice. You should consider whether this information is appropriate to your needs and, if necessary, seek independent advice. This information is only accurate at the time of publication. Although every effort has been made to verify the accuracy of the information contained on this webpage, MYOB disclaims, to the extent permitted by law, all liability for the information contained on this webpage or any loss or damage suffered by any person directly or indirectly through relying on this information.