Collection of Personal Information
Augusta acquires ‘Personal Information’ for the purposes of improving and personalising their services to its investors, for the purposes of complying with its Reporting Entity obligations under the Anti-Money Laundering and Countering of Financial Terrorism Act 2009, and other regulatory or compliance obligations.
"Personal Information" refers to all and any information relating to an investor, including, but not limited to an investor’s name, date of birth, contact numbers, email address, mailing address, copies of identity documents, bank statements, bank deposit slips etc.
In some instances, Augusta may collect personal information about individuals from third parties, such as, Bayleys Property Services or GreenID. In such circumstances, Augusta or the third party will obtain the individual’s consent. Augusta may also obtain personal information from publicly available resources such as PropertyGuru, WorldCheck, the Companies Office, LinkedIn, government agencies etc.
Consent to Use of Personal Information
Augusta obtains the consent of all investors as part of its application process. For example, 33 Broadway investors were advised:
Privacy Act 1993
You have a right to access all personal information held about you by us. If any of the information is incorrect, you have the right to have it corrected. You acknowledge that you are
authorised to provide this personal information. The personal information you have supplied may be used by us (and other related entities) for the purposes of enabling us to arrange and manage your investment, to contact you in relation to your investment, and to market other products and services to you. You authorise us to disclose your personal information to any third parties as needed to perform services on your behalf; to regulatory bodies or law enforcement agencies as required by law, and to meet our legal or regulatory obligations. We will provide you (on request) with the name and address of any entity to which information has been disclosed.
Use of Information
Augusta will not use any Personal Information unless the relevant party has consented to the use/specific manner to it being used by Augusta. Augusta does not sell, rent or lease Personal Information to any other person, business, organisation or other entity except to Augusta’s related companies or their party contractors, bound by confidentiality undertakings (“Related Entities”). The Related Entities will only use such Personal Information for the same legitimate purpose as Augusta.
Disclosure to third parties
Augusta will not provide Personal Information held to any third parties except where:
(a) Required to do so in compliance with any law, regulation, or court order;
(b) Required by a governmental authority, regulatory body, or where Augusta is under a legal obligation to do so;
(c) Third parties engaged by Augusta to provide services in connection with the uses of Personal Information is authorised to do so and where there is an appropriate confidentiality undertaking; or
(d) It is otherwise required by law.
For statistical purposes Augusta may collect information on its website activity (such as number of users who visit our website, the date and time of visits, the number of pages viewed, navigation patterns, what country and what systems users have sued to access the site, and when entering our website from another website, the address of that website) through the use of ‘cookies’. This information on its own does not identify an individual but it does identify a user’s browser type and their Internet Service Provider. Cookies also provide Augusta with statistics that can be used to analyse and improve our website.
A ‘cookie’ is a packet of information that allows the server (the computer that houses the website) to identify an interact more effectively with the user’s computer. When a user visits Augusta’s website, we send a temporary cookie that gives the user a unique identification number. A different identification number is sent each time our website is viewed. To evaluate the effectiveness of our website, we may use third parties to collect statistical data. No personal data is collected on these occasions.
Security - Storage of Information
The security of Augusta’s investors’ Personal Information is important to us. Augusta uses all reasonable steps to ensure that all personal information is securely protected against loss, unauthorised access and other misuse. In summary, Augusta protects Personal Information by: limiting physical access to investor files by anyone other than employees, requiring any third-party providers to have acceptable security measure in place; requiring any third parties to sign confidentiality undertakings before providing Personal Information; putting in place cyber security (as described below); and destroying Personal Information in accordance with section 50 of the AML Act (as discussed below).
Augusta has a range of physical and technology policies in place to provide a robust security environment. We ensure the on-going adequacy of these measures by regularly reviewing them. Augusta will track all access to our records through logs that are reviewed periodically, and investigate unusual activity.
Augusta Security Measures
Augusta has backup servers in place which are saved onto a disaster recovery (DR) server onsite and offsite. To limit the exposure to viruses there is no direct network access between the offsite DR server and the business network. All credentials are stored within the backup software.
Both the Auckland and New Plymouth sites are protected from outside intrusion by WatchGuard firewalls. Only authenticated users are able to access company servers and information. Specifically, on Ransomware, phishing and spear phishing we have been monitoring the mechanisms that hackers are using, and we have established that having the best backup procedures, firewalls and IT equipment is an effective method of stopping these attacks.
Augusta has also invested in a “Human Firewall Approach”, this means we are training all employees online and sending frequent phishing attacks to monitor compliance (in particular, Augusta has invested in KnowBe4 Security Awareness Program).
Accuracy of Personal Information
Augusta will take all reasonable steps to ensure that all personal information we hold is as accurate as is possible. Under the Privacy Act 1993 an individual has the right to contact Augusta at any time and ask for its correction if the party believes that the personal information held by Augusta is inaccurate or incomplete. In normal circumstances, Augusta will correct that information. If we do not, the party is entitled to request that we attach to that information a statement of the correction requested but not made.
Augusta takes care to ensure that it adheres to the provisions of the Unsolicited Electronic Messages Act 2007 and will only collect and use information from investors on Augusta’s website in accordance with the Act and the Privacy Act 1993. Email marketing will only be sent to an email address where we have received prior consent from the investor. Investors may unsubscribe to any email marketing message at any time by following the unsubscribe instructions contained in the message or by otherwise contacting Augusta.
Storage and Deletion of Investor Data
Augusta does not keep Personal Information for longer than is necessary for those purposes which the information was collected. Augusta will take all practical steps to ensure that Personal Information held about investors who have not had a business relationship with Augusta for more than 5 years or such longer period of time if required by law will be deleted/destroyed.
In Augusta’s opinion, it is not practicable to ensure that all Personal Information of such investors be deleted from any back-up tapes held by Augusta. Instead, such investor’s hard copy files will be destroyed or returned to the investor. Further, as an employee becomes aware of Personal Information that should have been destroyed in accordance with sections 50 and 54 of the AML Act will take steps to do so.
Anti-Money Laundering and Countering of Terrorism Act 2009 (AML Act)
Section 50 of the AML Act requires Augusta to keep the following records for the purposes of meeting its obligations under the AML Act for a period of at least 5 years after the end of that business relationship:
(a) Customer identity and verification;
(b) Relevant to the establishment of the business relationship;
(c) Relating to risk assessments, AML/CFT programmes, and audits; and
(d) any other records (for example, account files, business correspondence, and written findings) relating to, and obtained during the course of, a business relationship that are reasonably necessary to establish the nature and purpose of, and activities relating to, the business relationship.
Subject to the above, in accordance with section 54 of the AML Act, Augusta must take all practicable steps to ensure that every record retained by Augusta under the AML Act, and every copy of that record, is destroyed as soon as practicable after the expiry of the period for which Augusta is required to retain that record – except where there is a lawful reason for retain the record.
There is a lawful reason for retaining a record, if the retention of that record is necessary:
(a) in order to comply with the requirements of any other enactment; or
(b) to enable Augusta to carry on its business; or
(c) for the purposes of detection, investigation, or prosecution of any offence.
Augusta will maintain a record of customer contact information for marketing purposes as this does not fall within ‘customer identity and verification’ information.
Augusta takes any concerns regarding the maintenance and protection of our investors privacy serious. Any complaint by an investor will be dealt with in accordance with Augusta’s complaints handling policy.
Any misuse of Personal Information by an employee of Augusta will amount to misconduct and may be grounds for discipline or dismissal in accordance with Augusta’s Code of Conduct.