Our Privacy Policy and Data Subject Access Request Policy ensure that we communicate to you how we treat your (and your clients’) personal information. We encourage you to read these policies carefully as they can help you make informed decisions about sharing your personal information with us.

Midwinter Data Subject Access Request Policy V1.0 – updated January 2021


Midwinter Holdings (NSW) Pty Ltd (ACN 613 416 676) and its subsidiaries (including Midwinter Financial Services Pty Ltd (ACN 121 020 620) and InvestmentLink Pty Ltd (ACN 062 979 631) (together, “Midwinter”, “us”, “our” or “we”) are strongly committed to protecting the privacy of an individual’s Personal Information, and respect the privacy rights of our employees, users of our systems and visitors to our websites, in accordance with the Australian Privacy Principles (“APPs“) as contained in the Privacy Act 1988 (“Privacy Act“), and in accordance with other Privacy legislation in the jurisdictions we operate in, including the General Data Protection Regulation (“GDPR”). In this Policy, “Personal Information” means any information or opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in a material form or not.

This privacy policy (“Policy”) sets out how we collect, manage, hold, use, transfer and disclose an individual’s Personal Information. It contains information about how an individual may access the Personal Information about him or her that we hold and seek the correction of such information. It also contains information about how an individual may lodge a complaint in respect of potential breaches of the APPs and how we will deal with such a complaint.

We collect Personal Information by fair and lawful means, to the extent that it is reasonably necessary for, or directly related to, one or more of our business activities. The legal bases for our handling of Personal Information is either:

  • the individual has consented to it; or
  • under performance of a contract with an employee or a third party; or
  • it is in our legitimate interests as a business that provides services to contracted third parties; or
  • there is a legal obligation which makes the processing necessary for us to comply with any laws or other legal requirements; or
  • it is necessary in the vital interests of the individual whose Personal Information we hold; or
  • the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law.

The first three of these are likely to be the dominant legal basis for our handling of Personal Information.

By using any of our services or otherwise providing us with any Personal Information (or authorising it to be provided to us by someone else), you consent to us collecting, holding, storing, using, disclosing, transferring and otherwise managing your Personal Information (including sensitive information (such as health information), as defined in the Privacy Act (“Sensitive Information”) as set out in this Policy. This Policy may be updated from time to time and published on the Midwinter website at https://www.midwinter.com.au/privacy-policy/ (“Midwinter Website”).

Personal Information

The Personal Information we may collect or receive will depend on the circumstances of collection, including whether we collect or receive the information from the individual as a prospective or existing institutional and financial advisers (and their associated staff) (“Clients“), supplier, contractor, job applicant, employee or in some other capacity, or whether we collect the information from some other source, such as from our clients or our related bodies corporate.

In running our business, and in providing services to our clients, Midwinter may:

  • collect and hold Personal Information about our Clients, including (but not limited to):
    • job title(s);
    • business address;
    • e-mail address;
    • business telephone numbers;
    • communications between Midwinter and our Clients’ representatives;
    • transactional information regarding our services; and
    • financial information and banking details;
  • hold Personal Information about our Client’s customers or persons associated with our Client’s customers, including (but not limited to):
    • name(s);
    • address;
    • email communications;
    • date of birth;
    • identification documents;
    • Centrelink details;
    • tax file numbers; Sensitive Information, financial and taxation information, and banking details;
  • collect (under authorisation from our Clients) our Clients’ customer’s data feeds and information from third party product providers, including investment holdings, account numbers transaction information;
  • collect Personal Information about contractors, service providers and suppliers, including (but not limited to):
    • name;
    • job title;
    • business contact details of company representatives with whom we deal; and
    • financial information and banking details; and
  • in the context of our recruitment and employment process for employees and contractors, collect and hold Personal Information, including (but not limited to)
    • name(s);
    • email address;
    • telephone number;
    • address;
    • financial details (including banking details);
    • date of birth;
    • history with us (including communications between us);
    • citizenship;
    • employment references;
    • civil, credit and criminal records;
    • driver’s licence information;
    • education and employment history;
    • marital status;
    • membership of a professional or trade association or union; and
    • Sensitive Information.

How do we collect Personal Information?

Midwinter collects Personal Information about an individual directly from the individual when the individual:

  • applies for job vacancies, or is employed or contracted by us;
  • meets with us or contacts us via other methods such as our support line or helpdesk, or when the individual uses our client portal;
  • completes forms, transacts with us or provides information to us via the Midwinter Website;
  • provides information to us through industry surveys, promotions conducted by us or via social media platforms; and
  • participates in other services we offer, such as our digital advice tools, client portals and client engagement calculators and other.

We also collect Personal Information about individuals from third parties and organisations. We collect, handle or process information from:

  • Clients of Midwinter who disclose the Personal Information of their customers as part of their use of the services provided by Midwinter;
  • third party product providers who we engage (including, but not limited to, data feeding service providers);
  • Midwinter’s related bodies corporate;
  • publicly available sources of information, such as public registers;
  • government agencies;
  • our contracted service providers;
  • parties to whom the individual refers us or from whom the individual authorises collection; and
  • any social media platforms over which we have administrative control.

If you are a Client and provide us with the Personal Information of your customers, we will assume, and you must ensure, that you are authorised to disclose that information to Midwinter. If you disclose Personal Information of your customers to Midwinter or if you disclose Personal Information of third parties through contractual arrangements with Midwinter, we will assume, and you must also ensure, that:

  • you have made that third party aware of the purposes involved in the collection, use, transfer and disclosure of the relevant Personal Information, for example, by requiring the customer to read this Policy;
  • you have obtained the individual’s consent to our collection, use, disclosure, transfer and handling of the relevant Personal Information in accordance with this Policy; and
  • when collecting Personal Information, you have complied with all applicable laws, including data protection and privacy laws.

Where requested to do so by Midwinter, you must assist us with any requests by an individual to access or update the Personal Information you have collected from them in relation to our services.

Purposes of collection, use and disclosure of Personal Information

Midwinter may collect, hold, use and disclose Personal Information for the following purposes:

  • to provide services to our Clients;
  • to maintain, manage and develop our relationship with our Clients, including organising events;
  • to facilitate the provision of services by our Clients or our related bodies corporate to their customers;
  • to verify an individual’s identity, for invoicing, to provide support services and to administer the services we provide to the individual;
  • to provide our Clients with information and updates on changes to our services;
  • to send our Clients’ information about our or our related bodies’ corporate products or services that may be of interest to them. If at any time an individual no longer wishes to be notified about our or our related bodies’ corporate products or services, the individual can contact us at the details provided at the bottom of this Policy;
  • to send feedback questionnaires, and to participate in industry surveys;
  • to help us undertake training in relation to our services and to improve how we serve our Clients;
  • to assist individuals with the resolution of technical issues or other issues relating to our services;
  • to contract out some of our functions to external service providers and suppliers (such as mailing houses and printing companies, IT, advertising and marketing);
  • to comply with laws and regulations in applicable jurisdictions;
  • to assess and consider applications from prospective job applicants, contractors and service providers;
  • to manage and administer a contractor’s or service provider’s relationship and arrangements with us and maintain any records in relation to this relationship;
  • and such purposes for which we may obtain consent, from time to time.

If you do not provide the Personal Information we request or consent to the collection and use of your Personal Information for the purposes outlined in this Policy, we may not be able to do any of the things or provide the services as set out above.

Offshore disclosure

We are likely to disclose an individual’s Personal Information to overseas recipients. The countries in which those recipients are likely to be located are the United Kingdom, New Zealand, Hong Kong, India and Poland. For clarity, we do not disclose our Clients’ customer’s Personal Information to overseas recipients. If an individual does not want their Personal Information or that of their clients’ to be stored on third party
servers, the individual should not provide their Personal Information to our Clients or use our services.

Security of Personal Information

Midwinter is committed to protecting any Personal Information held by us from unauthorised access, modification or disclosure. We take appropriate measures using industry standard techniques to maintain technical and organisational safeguards and controls to protect the information we hold (including your Personal Information). As part of our security policies we take into account confidentiality, integrity,
availability and privacy when handling Personal Information in both the physical and electronic environment.

Our services may allow an individual to transfer data, including Personal Information, electronically to and from third party applications. Midwinter has no control over, and takes no responsibility for, the privacy practices or content of these applications. The individual is responsible for checking the privacy policy and third party terms of any such applications so that the individual can be informed of how they handle Personal Information. Individuals must take care to protect their Personal Information (for example, by keeping usernames and passwords secure), and should notify us as soon as possible if they become aware of any unauthorised disclosure of Personal Information.

Disclosure of Personal Information in limited circumstances

In conducting our business, we usually disclose Personal Information (except for Clients’ Personal Information or our Clients’ customers Personal Information) to:

  • our related bodies corporate;
  • external service providers, such as mail houses, website and IT service providers;
  • professional advisors, such as our financial advisers, legal advisers and auditors; and
  • government agencies.

Midwinter may also disclose the Personal Information (except for Clients’ Personal Information or our Clients’ customers Personal Information) provided to us to third parties if it is necessary and/or appropriate in the provision of our services (or a related purpose). This may include disclosing Personal Information to any governing, regulatory or licensing bodies that require this information to assist with the provision of compliance or monitoring services, such as an individual’s dealer group or licensee. Midwinter may also be required to disclose Personal Information in order to comply with any court orders, subpoenas, or other legal process or investigation including by tax authorities, if such disclosure is required by law. Where possible and appropriate, we will notify individuals if we are required by law to disclose their Personal Information.

The third-party servers we use for data storage do not control, and are not permitted to access or use an individual’s Personal Information except for the limited purpose of storing that information.

You may request access to your Personal Information or seek its correction

We will take such steps (if any) as are reasonable in the circumstances to ensure that the Personal Information we collect is accurate, complete and up-to-date. Our Data Subject Access Request (“DSAR”) policy (available on the Midwinter Website) (“DSAR Policy”) explains our approach and submission requirements if an individual wishes to request access to their Personal Information, or request that we update or correct any Personal Information we hold about the individual.

Please be aware that if you are a Client of Midwinter, or are employed by Midwinter, you should make a request directly to us, by using the DSAR form attached to our DSAR Policy, and submitting it by:

  • e-mail to [email protected]; or
  • letter to the Operations Manager, Midwinter, Level 6/345 George St, Sydney NSW 2000.

If you do not have a direct relationship with Midwinter, but with one of Midwinter’s Clients, you should make your request directly to that individual or entity, who will request that we assist them with your DSAR.

Midwinter will only keep an individual’s Personal Information for as long as we require it for the purposes for which the information may be used or disclosed under the APPs unless otherwise required by law.

You can opt-out of any marketing email communications.

Midwinter uses an individual’s Personal Information to send them information about our or our related bodies’ corporate products or services that may be of interest to them. This information may be sent via email. Our emails will contain clear and obvious instructions outlining how an individual can choose to be removed from our mailing list.


Midwinter may use cookies to collect information about an individual’s use of the Midwinter Website and online services. This information may include information about the IP address of the individual’s computer, browser type, language, operating system, mobile device, geographical region, the web pages visited, the date and the time of their visit, and the websites visited immediately before and after visiting the Midwinter Website.

Our online service requires the use of cookies which are placed on your computer by Midwinter for a number of purposes relating to the provision of our services, including to:

  • retain your login information so as to make accessing our services efficient;
  • retain details of your browsing and accessing history so as to optimise or customise the delivery of our services to you, or for us to provide material to you which may be of interest to you;
  • and provide to us data as to the use of our services by customers so that we can assess the performance of the delivery of our services and make improvements or alterations to our services.

You will not be able to access some of our services if cookies are not enabled on your device. There are two types of cookies: session cookies and persistent cookies. Session cookies are detected once you leave the website. Persistent cookies, however, will remain on your computer or until deleted by the website user. Session and persistent cookies can be classified into one of four categories:

Strictly necessary cookiesThese cookies are strictly necessary to enable you to move about the
site or to provide certain features you have requested.
Functionality cookiesThese cookies allow the website to remember choices you make
(such as your name, language or region you are in) and provide
enhanced, more personalised features
Performance/Analytics cookiesThese cookies collect non-Personal Information – data in a form that
does not permit direct association with any specific individual – and
support the measurement of websites. This information helps
improve websites by identifying any problems that visitors may
encounter during their visit and by learning how they entered and
which pages they visited.
Third party cookiesThese cookies are set by a website other than the one you
are currently on. For example, some websites might have social
media buttons. When you use one of the share buttons, a cookie
may be set.

Midwinter has a privacy complaints process

If an individual wishes to make a complaint about how we have handled their Personal Information, the individual should provide us with full details of the complaint and any supporting documentation:

  • by e-mail to [email protected]; or
  • by letter to the Operations Manager, Midwinter, Level 6/345 George St, Sydney NSW 2000. We will endeavour to:
  • provide an initial response to your query or complaint within 10 business days; and
  • investigate and attempt to resolve your query or complaint within 30 days or one calendar month (as required under either Privacy Act or the GDPR) or such longer period as is necessary and notified to the individual by our Operations Manager.

In the event that you are dissatisfied with the outcome of your complaint, you may refer the complaint to the relevant regulatory authority, such as the Office of the Australian Information Commissioner, or the UK’s Information Commissioner.

This policy is effective as of the 1st of February 2021. We will update this policy if our information handling practices change, and any amendments will apply to the information we hold at the time of the update.

Subscribe to receive news & insights from Midwinter