How we use it
In order to carry out our functions, we may use the information we hold as evidence, and for analysis, risk assessment, audit and/or monitoring purposes.
Where we identify the need to use the information further, for example, to consider or investigate compliance breaches or complaints, or initiate our own investigations or inquiries, we will only do so if required or permitted by law, or with your consent.
We may use information we gather to inform our wider compliance and regulatory strategies. In doing so we will comply with our obligations under the Privacy Act 2020.
How we protect it
Information is stored, accessed and retained in accordance with our Privacy Policies, Information Disclosure Policy, Knowledge Management Policy, ICT Acceptable Use Policy, and the SCC Code of Conduct, the FMA Act, the Privacy Act 2020 and the Public Records Act 2005.
In 2018 , the Financial Markets Authority entered into a contract with Microsoft to store our business applications and data on cloud based external servers. We are satisfied that Microsoft’s Azure and Office 365 services will meet our needs while protecting individual privacy and the confidentiality of our information generally. Our assessment of the security of personal information held in this way is consistent with the Privacy Commissioner’s evaluation in undertaking its own transfer of applications and data to Microsoft servers.
We will store the FMA’s data in Microsoft’s data centres in Australia. The Privacy Commissioner has confirmed that he is satisfied that the privacy laws in Australia provide an equivalent level of protection to New Zealand law.
Microsoft’s terms of service, along with local and overseas privacy regulations, will make sure that we have control over the data while we store it in Microsoft’s data centres. Microsoft also undergoes regular independent audits of its compliance with international standards.
Our move to an externally hosted environment is consistent with Government direction to Government agencies to accelerate the adoption of cloud services in preference to traditional IT systems, to become more cost-effective, agile and secure.
We undertake periodic reviews to ensure we comply with our information-gathering obligations as part of our internal assurance activities.
When we share it
We may share information where necessary in order to properly carry out our functions or to assist another agency or overseas regulator in fulfilling its functions. This may include when we are considering and investigating compliance breaches or complaints, or initiating our own investigations or inquiries.
Information is only shared in accordance with our statutory powers, with appropriate caveats and/or controls, and in compliance with the relevant legislation and any information sharing-agreements with other agencies or overseas regulators.
The FMA is subject to the Official Information Act 1982. This means that information will be made available to a requestor unless there is a good reason to withhold it. There are a number of reasons information may be withheld, including personal privacy and protecting information that has been received in confidence. Section 59 of the FMA Act also requires us to maintain confidentiality of information and documents received, other than in specified circumstances.