Section 1: Introduction to Privacy and Data Protection in Financial Advice

1.1 Why Privacy and Data Protection Matter in Financial Planning

In financial planning, advisers hold not just personal details about their clients—but some of their most sensitive financial and lifestyle information.

Unlike many industries, the relationship between financial planner and client is based on trust, transparency, and a high level of disclosure.

This makes privacy and data protection both a legal obligation and a cornerstone of professional conduct.

Australia's privacy and data protection regime continues to evolve, particularly in response to increasing cyber threats, advancements in digital storage and transmission, and growing consumer awareness around data rights.

Financial advisers must operate with a clear understanding of how to manage data responsibly—from collection and storage, through to sharing and destruction.

While compliance with privacy laws is critical to avoid fines or sanctions, strong data governance is increasingly being viewed as a business differentiator.

Clients are asking how their information is protected—and licensees that can answer confidently stand to gain both trust and competitive advantage.

1.2 The Legislative Framework for Privacy in Financial Services

The foundation of privacy protection in Australia is the Privacy Act, which applies to organisations with annual turnover exceeding $3 million, and to small businesses providing financial services—such as licensees and authorised representatives under an AFSL.

The Act includes:

• 13 Australian Privacy Principles (APPs), which govern the handling, use, and disclosure of personal information
• Requirements for transparency, data minimisation, and security
• Mandatory reporting of certain data breaches through the Notifiable Data Breaches (NDB) scheme
• Oversight by the Office of the Australian Information Commissioner (OAIC)

The Privacy Act is supported by:

• ASIC Regulation: Through obligations under the Corporations Act 2001, financial advisers must act efficiently, honestly and fairly—which includes respecting client confidentiality and data integrity.
• Australian Financial Complaints Authority (AFCA): Where privacy breaches impact client outcomes, AFCA may investigate complaints and award compensation.
• Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF): Governs identification and verification procedures that collect sensitive information—often overlapping with privacy rules.
• ASIC's RG 271 (Internal Dispute Resolution): Requires firms to investigate and respond promptly to complaints, including those relating to data handling or misuse.

1.3 The Business Impact of Poor Data Protection

Failing to properly manage client data can result in:

• Regulatory enforcement: Including fines, enforceable undertakings, licence conditions or suspensions
• Civil litigation: Clients may sue for breach of confidence or negligence
• Complaints to AFCA: Resulting in compensation and reputational harm
• Breach of fiduciary duties: Where client interests are put at risk through sloppy data practices
• Loss of trust: Which can quickly escalate to loss of clients and professional standing

Real-world breaches—such as improper file sharing, system hacks, or inappropriate email forwarding—have led to serious consequences for advice firms, including regulatory scrutiny, legal settlements, and negative media coverage.

1.4 Course Context and Objectives

This module is designed for individuals working under an AFSL who are responsible for collecting, using, accessing, sharing, or securing client data.

This includes:

• Financial advisers
• Practice managers
• Paraplanners
• Client services officers
• Compliance and support staff

The module assumes familiarity with basic client file handling, but provides a much deeper and more technical understanding of legal, regulatory, and practical expectations around data protection.

You will learn to:

• Define and differentiate personal vs. sensitive information in the financial advice context
• Understand your obligations under the Privacy Act and related laws
• Respond to real-world scenarios involving potential or actual data breaches
• Apply best-practice approaches to client data handling, including digital file security, email hygiene, and system controls

Section 2: Understanding Personal and Sensitive Information in Financial Advice

2.1 Overview

Every day, financial advisers handle large volumes of client data—across onboarding, fact-finding, advice preparation, product applications, and ongoing service.

At the heart of responsible data protection lies a simple but crucial distinction:

• What kind of information is being collected?
• What are the legal and ethical responsibilities that come with it?

The Privacy Act draws a clear line between personal information and sensitive information. Both categories are protected by law—but sensitive information is subject to stricter rules due to its higher potential for harm if misused.

Responsible data handling starts with understanding exactly what you’re working with—and adjusting your security, consent, and disclosure protocols accordingly.

2.2 What Is Personal Information?

Personal information is defined as:

“Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in a material form or not.”

This is broader than most people think. It includes not only directly identifying data (e.g. name, address), but also combinations of data that, when aggregated, allow someone to be reasonably identified.

Common Examples in Financial Planning:

• Full name
• Date of birth
• Residential and mailing address
• Email address
• Phone number
• Driver’s licence or passport number
• Tax File Number (TFN)
• Account numbers
• Superannuation and investment balances
• Employment information
• Details of family members or dependants
• Notes from fact-finding discussions or CRM entries

Less Obvious Examples:

• IP addresses (especially when linked with location and browsing behaviour)
• Notes or emails that don’t mention a name, but describe a unique client situation
• Voice recordings or transcripts of client meetings
• Metadata from online tools if tied to an individual user profile

2.3 What Is Sensitive Information?

Sensitive information is a sub-category of personal information. Because of its nature, the Privacy Act imposes additional restrictions on its collection and use.

Definition:
“Information or an opinion about an individual’s race, ethnic origin, political opinions or membership, religious beliefs, sexual orientation, criminal record, health information, biometric or genetic data.”

In financial planning, the most common forms of sensitive information encountered are:

• Health information (e.g. medical disclosures for insurance underwriting, disability information for income protection advice)
• Criminal history (e.g. bankruptcy declarations, past fraud convictions)
• Religious affiliation (e.g. related to estate planning preferences or ethical investment preferences)
• Sexual orientation or relationships (e.g. de facto status or partner financial arrangements)
• Biometric information (e.g. facial recognition data used in ID verification tools)

Key Rule:
You must not collect sensitive information unless:

• The client has given explicit consent, and
• The collection is reasonably necessary for your advice or services

Verbal consent is not enough in most cases—written or logged confirmation is strongly advised.

2.4 Examples in Practice

Examples of data types, classifications, and handling considerations:

• Completing a fact-find form: Personal — Must be accurate, relevant, and securely stored
• Medical records for TPD cover: Sensitive — Must have written consent before collection or storage
• Notes about a client’s divorce: Personal, possibly Sensitive — Limit to necessary details; secure and restrict access
• Investment preferences excluding fossil fuels: May imply sensitive beliefs — Use generic descriptions unless client provides specifics
• Uploading ID scans to a CRM: Personal (with high security value) — Should be encrypted, access-controlled, and logged

2.5 Aggregated and De-Identified Data

Aggregated data (e.g. 20% of clients are under age 40) and de-identified data (e.g. removing names and contact info) are not personal information if they cannot be re-identified.

However, be cautious:

• De-identification must be irreversible using reasonably available means
• Combining multiple datasets may allow re-identification, which would re-trigger privacy obligations

For example, de-identifying a spreadsheet of client balances is not sufficient if another linked file contains matching client codes or birthdays.

2.6 What If You’re Unsure?

If you're not sure whether a piece of data qualifies as personal or sensitive information:

• Treat it as protected by default
• Use minimum access and need-to-know principles
• Seek clarification from your compliance or legal team

The risk of over-protection is regulatory efficiency. The risk of under-protection is a privacy breach.

2.7 Summary and Action Points

• Understand that personal information includes anything that can reasonably identify an individual
• Treat sensitive information—especially health or criminal data—with heightened caution
• Always seek explicit consent before collecting sensitive information
• Consider whether collection is necessary, and minimise wherever possible
• Use secure, access-controlled systems for storage and sharing
• Document your data collection decisions in client files or CRM notes

Section 3: Data Breaches – Impact, Notification, and Risk Management

3.1 Overview

A data breach can be devastating—not just for the clients affected, but for the business’s reputation, legal standing, and financial viability.

Financial advisers operate in a high-trust environment, and any loss, misuse, or unauthorised access to client information undermines that trust.

Under the Notifiable Data Breaches (NDB) scheme, certain types of breaches must be reported to both the Office of the Australian Information Commissioner (OAIC) and affected individuals.

But even when not formally reportable, data breaches carry serious professional and commercial consequences.

This section explores the types of data breaches most common in financial planning, their implications, and how to prevent and respond to them.

3.2 What Is a Data Breach?

A data breach occurs when personal information is:

• Lost
• Accessed without authorisation
• Disclosed without consent or legal basis

Examples in Financial Advice:

• Emailing an SOA to the wrong client: Unauthorised disclosure — High risk of financial and identity exposure
• Adviser’s laptop is stolen with unencrypted files: Loss / unauthorised access — High systemic breach risk
• CRM user credentials are shared informally: Unauthorised access — Medium to high risk depending on access scope
• Sending a client spreadsheet without password protection: Insecure disclosure — Medium risk, especially if emailed externally
• Uploading client ID documents to an unsecured server: Failure to protect sensitive data — High regulatory and legal exposure

A data breach may be accidental or malicious, but intent does not reduce the regulatory obligation to act.

3.3 What Is a “Notifiable” Breach?

Under the NDB scheme, an organisation must notify the OAIC and all affected individuals when a breach is likely to result in:

“Serious harm to an individual to whom the information relates.”

This includes:

• Identity theft
• Financial loss
• Psychological harm
• Reputational damage
• Disruption of personal or business life

Criteria for Notification:

• A data breach has occurred
• The breach is likely to cause serious harm
• The entity has not been able to prevent the risk via remedial action

If these three conditions are met, notification is mandatory.

3.4 Timelines and Requirements

• Notification must be made as soon as practicable after becoming aware of the breach.
• Advisers or practice staff must report suspected breaches immediately to their licensee’s privacy officer or compliance manager.
• The OAIC must receive a formal report that outlines:
  • The nature and cause of the breach
  • What information was involved
  • How individuals are affected
  • Steps taken or planned to control the harm
• Affected clients must receive:
  • Clear explanation of the breach
  • Description of potential impact
  • What steps are being taken to support or protect them

Failing to notify appropriately may lead to enforcement action, fines, or regulatory censure—even if the breach was accidental.

3.5 Implications of a Data Breach

Regulatory Consequences:

• Fines and penalties (civil monetary orders)
• Enforceable undertakings
• Licence conditions
• Public OAIC findings
• Compulsory third-party audits

Operational and Commercial Fallout:

• Loss of client trust
• Staff turnover and morale issues
• Insurance premium increases
• Time and cost of remediation and legal advice
• Termination of partnerships with product providers or platforms

3.6 Case Examples in Australian Advice Firms

Case 1: Device Loss and Inadequate Encryption

A Sydney-based AFSL holder had a staff laptop stolen from a car. It contained unencrypted client files, including identity documents and TFNs. OAIC found the firm did not have adequate policies or technical controls in place. The firm was required to:

• Conduct a full risk audit
• Implement remote wipe capabilities
• Deliver mandatory staff training on mobile security
• Notify all affected clients

Case 2: Third-Party File Misdelivery

An outsourced paraplanner incorrectly emailed a group of client SOAs to the wrong adviser. The incident was discovered two days later, and some SOAs had already been opened. The licensee:

• Reported the breach to the OAIC
• Engaged with each affected client
• Suspended file sharing privileges for the paraplanner’s team
• Updated SOPs and contractual agreements for data handling

3.7 Risk Management and Prevention

Preventing breaches is more effective than reacting to them. Best-practice strategies include:

• Role-based access permissions: Only provide access to data needed for specific job functions
• Data minimisation: Don’t collect or retain unnecessary information
• Secure communication tools: Use encrypted file transfer and secure email gateways
• CRM audit trails: Track access, edits, and downloads
• Strong password hygiene: Enforce regular updates and complexity requirements
• Device protection: Implement remote wipe, device encryption, and timeout locks
• Staff training: Ensure regular refreshers on data handling and phishing threats
• Breach response plan: Documented and tested response protocols for rapid containment

3.8 Summary and Checklist

You are dealing with a breach if:

• You’ve sent client information to the wrong person
• You’ve lost access to a device containing client files
• Your system was accessed by an unauthorised user
• A third party you work with has had a security incident involving your clients

What to do:

• Report immediately to your licensee or compliance officer
• Do not attempt to conceal or delay the issue
• Begin assessment of harm potential
• Document all actions and communications
• Notify affected clients if required

Section 4: Consent, Collection, and Use of Client Information

4.1 Overview

Financial advisers collect a wide range of personal and sensitive information from clients. But not all collection is lawful—and not all lawful use is ethical or professional.

The Privacy Act and the Australian Privacy Principles (APPs) require that information is only collected:

• With appropriate client consent, and
• Where reasonably necessary for your business functions or activities

Beyond legality, the quality and transparency of your data collection process strongly affects client trust. This section outlines how to collect and use client data responsibly—before, during and after the advice relationship.

4.2 Defining Consent

Consent must be:

• Informed: The client knows why the information is being collected and how it will be used
• Voluntary: The client has a genuine choice, free from coercion or pre-condition
• Current: Consent reflects present circumstances—not assumed from a prior interaction
• Specific: Applies to a clearly defined purpose (e.g. lodging an insurance application)
• Capable: The client must be mentally and legally able to give consent

Silence, pre-ticked boxes, or bundled terms do not constitute valid consent under Australian law.

Best practice is to record and store the client’s consent in writing, ideally using a signed document, secure e-signature platform, or CRM record with time/date stamps.

4.3 Collecting Information

Under APP 3, you can only collect personal information that is reasonably necessary for one or more of your core business functions (such as fact-finding, SOA preparation, or product implementation).

When collecting data, you must:

• Use lawful and fair means (e.g. no surveillance or data scraping)
• Be transparent about what you are collecting and why
• Limit collection to the minimum required to perform the task
• Avoid collecting information “just in case” it becomes useful

The less data you collect, the less risk you carry—and the easier it is to protect.

4.4 Using Information

Once information is collected, APP 6 restricts how you can use or disclose it.

You may only use or disclose personal information for:

• The purpose it was collected for (the “primary purpose”), or
• A directly related secondary purpose the client would reasonably expect, or
• With the client’s specific consent, or
• If required by law (e.g. court order, police investigation)

Using information beyond this scope—even with good intentions—can breach the Privacy Act.

Examples:

• Permitted: Using income data to model retirement scenarios in an SOA (primary purpose)
• Permitted: Sharing client data with your licensee’s compliance team for QA (directly related)
• Not permitted: Using client data to test a new advice template internally (no consent)
• Not permitted: Disclosing a client’s file to a related entity for marketing purposes (not expected, no consent)

4.5 Mandatory Collection Statements

Whenever you collect personal information, you must provide the client with a “collection statement” that explains:

• Your identity and contact details
• The purpose(s) for collection
• Whether the collection is required or optional
• Consequences if the client chooses not to provide it
• Who you may share it with (e.g. insurers, platforms)
• How they can access or correct their information
• How to lodge a complaint

These can be included in your firm’s privacy policy or client engagement letter—but must be provided before or at the time of collection.

4.6 Summary

• Only collect what is necessary and lawful
• Make consent explicit, informed, and up to date
• Explain your data collection through a proper collection statement
• Use and disclose data only as intended and agreed
• Record how and when consent was given
• Never assume that because you hold data, you’re allowed to use it in new ways

Section 5: Data Storage, Access and Security Practices

5.1 Overview

Storing and managing client data safely is a key responsibility of every licensee, adviser, and support staff member.

The Privacy Act (APP 11) requires organisations to take “reasonable steps” to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure.

This applies whether you use a cloud-based CRM, keep hard copy files, or share data with third-party services.

Strong data security isn’t just about having the right tools—it’s about having the right behaviours, policies, and access controls in place to prevent leaks or breaches.

5.2 Secure Storage

Client data must be stored in a way that prevents unauthorised access or misuse.

• Digital files: Use encrypted servers or CRM platforms with robust security credentials
• Hard copy documents: Store in locked cabinets with restricted key access
• Cloud systems: Must be Australian-hosted or meet equivalent privacy standards (e.g. ISO 27001)
• External storage providers: Must be contractually bound by privacy and confidentiality clauses
• Backups: Should be encrypted and regularly tested for recoverability

Advisers must never store client data on unsecured USBs, private email folders, or local hard drives without protection.

5.3 Role-Based Access Control

Access to data must be limited to those who need it to perform their role.

• Use CRM permission settings to restrict file access by role (e.g. adviser vs admin vs licensee)
• Review access logs and permissions at least quarterly
• Disable access immediately when staff leave or change roles
• Use named login credentials—never shared or group logins

These steps reduce the risk of accidental or malicious misuse of client data by insiders or ex-employees.

5.4 Strong Password and Device Practices

• Use unique, strong passwords for each system or platform
• Enable two-factor authentication (2FA) wherever possible
• Never write down or share passwords
• Update passwords regularly (every 60–90 days)
• Install antivirus and endpoint protection on all work devices
• Auto-lock devices after 5 minutes of inactivity
• Restrict the use of personal devices for client work

If you must use a BYOD (bring your own device) model, ensure it meets licensee security policy and includes mobile device management controls.

5.5 Secure Sharing of Client Information

Client information must only be shared when necessary and using secure channels.

Best practices include:

• Using secure document portals (e.g. FuseSign, DocuSign, or OneDrive with MFA)
• Password-protecting sensitive documents before emailing
• Not using free file-sharing tools unless pre-approved by compliance
• Verifying recipient email addresses before sending
• Avoiding internal shortcuts like “drag and drop” into chat apps that don’t log file access

If a third party (such as a paraplanner or product provider) needs access, ensure they are contractually bound by privacy obligations and only receive the data required for the task.

5.6 Data Retention and Destruction

Personal information should not be retained longer than necessary for the purpose it was collected.

Retention policies should align with:

• Legal obligations (e.g. financial services laws may require client records to be retained for 7+ years)
• Contractual requirements (e.g. advice files related to indemnity cover)
• Business needs (e.g. to respond to future complaints or audits)

Destruction must be secure—simply deleting a file or tossing a document in the bin is not sufficient.

• Digital data: Use secure deletion or overwriting tools
• Physical files: Use cross-cut shredding or a secure destruction service
• CRM archives: Ensure backups and system logs are purged according to retention rules

5.7 Summary and Checklist

• Store client data using encrypted and access-controlled systems
• Limit access based on role and responsibility
• Use strong passwords and 2FA for all systems
• Ensure devices are protected, monitored, and secured against theft or intrusion
• Share files only via secure channels, with minimum necessary access
• Retain and destroy data in line with legal and professional obligations

Section 6: Rights of Clients – Access, Correction and Complaints

6.1 Overview

The Privacy Act gives clients important rights in relation to their personal information—including the right to access, correct, and complain about how it is handled.

As financial advisers, it's essential to respect these rights—not only to remain compliant, but to build trust and demonstrate professionalism.

This section explains what clients are entitled to, how to respond to requests, and what to do if a client makes a privacy-related complaint.

6.2 Client Right to Access

Under APP 12, clients have the right to request access to any personal information you hold about them.

You must:

• Respond to the request within a reasonable time (usually within 30 days)
• Provide access in the manner requested (e.g. soft copy or hard copy), unless unreasonable or impractical
• Verify the identity of the person making the request before releasing information

You may refuse access in limited cases—such as where providing access would unreasonably impact another person’s privacy, or where a legal exemption applies (e.g. legal professional privilege).

If you refuse access, you must give written reasons and explain how the client can complain.

6.3 Right to Correction

APP 13 allows clients to request that incorrect, outdated, incomplete, or misleading information be corrected.

You must:

• Take reasonable steps to ensure the data is accurate, complete, and up to date
• Make corrections promptly upon request, unless you have lawful grounds to deny it
• Inform other organisations (where relevant) that you’ve made a correction, if requested by the client

If you deny the correction, you must give written reasons and include a note on the file if the client insists their version be recorded.

6.4 Handling Complaints

Clients have the right to complain if they believe their personal information has been mishandled.

Your responsibilities include:

• Having a clear and accessible complaint handling process (as per RG 271)
• Acknowledging the complaint promptly (within 1 business day recommended)
• Investigating thoroughly and impartially
• Responding within 30 calendar days
• Explaining the outcome and any remedies or actions taken
• Informing the client of their rights to escalate to the OAIC or AFCA

AFCA may award compensation where privacy breaches result in financial or emotional harm. The OAIC may also conduct audits or impose penalties for systemic failures.

6.5 Practical Tips for Advisers

• Keep data well organised so you can retrieve and review it quickly
• Respond to access or correction requests without defensiveness
• Avoid unnecessary delays—30 days is a maximum, not a target
• Be transparent about what’s on file and how it’s used
• Maintain records of all access, correction and complaint responses

Your professionalism during these processes demonstrates how seriously your practice takes client privacy and rights.

6.6 Summary and Checklist

• Clients can request access to their data—respond within 30 days
• They can ask for errors or outdated details to be corrected
• Only refuse access or correction if you have valid legal grounds
• Have a clear, fair and documented process for handling complaints
• Log and retain all privacy-related requests and how you handled them

Section 7: Privacy Obligations in Digital Advice, AI and Third-Party Tools

7.1 Overview

Digital tools and AI technologies are increasingly embedded in advice delivery—from automated fact-finds and CRMs, to paraplanning platforms, AI-generated content, and client data visualisation dashboards.

While these innovations offer greater scale, consistency, and client experience, they also introduce new privacy risks that must be proactively managed.

This section outlines how to meet privacy and ethical obligations when using digital tools, especially those involving artificial intelligence and external vendors.

7.2 Digital Tools and Third-Party Providers

When advisers use third-party software (e.g. CRMs, file storage, paraplanning platforms, calculators, email tools), they remain responsible for the privacy of any client data shared through these tools.

You must:

• Understand how the provider handles, stores, and secures data
• Ensure the provider complies with Australian Privacy Principles (APPs) or equivalent safeguards
• Have contracts in place that include confidentiality and data protection clauses
• Conduct due diligence and ongoing risk assessments
• Maintain a register of third-party systems that store or access client data

Even if a provider is based overseas, you are still accountable under the Privacy Act for any misuse or breach of client information.

7.3 AI and Automation

Artificial intelligence tools (e.g. paraplanning assistants, auto-generated emails, chatbot-style fact finds) raise specific privacy challenges due to their scale, training data, and transparency limitations.

Key obligations include:

• Informed consent: Clients must know when AI tools are used and how their data is being processed
• Fairness: You must ensure outputs are not discriminatory, misleading, or inaccurate
• Security: Any client data processed by AI must be encrypted, access-controlled, and stored securely
• Human review: AI-generated outputs (e.g. strategy summaries, projections) must be checked by a licensed adviser before being shared
• Transparency: Clients should not be misled into thinking they’re speaking with a human when interacting with bots

Using AI tools without understanding where client data is sent, how it is stored, and who has access to it creates serious regulatory and ethical risks.

7.4 Cloud Storage and Cross-Border Risks

Many digital tools rely on cloud infrastructure hosted outside Australia. While this isn’t prohibited, it does require careful handling.

If data is stored or accessed overseas, you must:

• Disclose this clearly in your collection statement or privacy policy
• Take reasonable steps to ensure the overseas provider complies with privacy standards similar to APPs
• Assess whether the data is at risk of government surveillance, geopolitical instability, or data law conflict

This applies even if you’re using well-known platforms like Microsoft, Google, AWS, or Salesforce—always check where their servers are located and how data is handled.

7.5 Examples in Practice

• Using ChatGPT to draft an SOA: If client data is entered, you may be breaching privacy laws unless you have a private, enterprise-level deployment and client consent
• Uploading fact finds to Dropbox: If not encrypted or access-controlled, this may not meet APP 11 standards
• Using an AI tool to summarise client goals: Must be reviewed by a human and confirmed with the client
• Sharing client notes via Slack or Teams: These systems must be secured, access-logged, and covered by your privacy policy

Always ask: “Would the client be comfortable knowing how their data is being used by this tool?”

7.6 Summary and Action Points

• Conduct due diligence on all third-party software and AI tools
• Update your privacy policy to include tools used and cross-border storage
• Ensure AI-generated content is human-reviewed before use with clients
• Never enter client data into public-facing AI tools without consent and security review
• Maintain a record of all systems and vendors that store client data

Section 8: Practical Scenarios and Adviser Responsibilities

8.1 Overview

To bring all the principles in this module together, this section provides real-world scenarios to test your understanding of adviser responsibilities when handling client information.

These examples reflect common privacy challenges faced by advice professionals, along with suggested responses aligned with Australian law and professional standards.

8.2 Scenario: Emailing the Wrong Client

What happened: You accidentally attach the wrong SOA to an email and send it to a different client.

What to do:

• Immediately recall the email if possible and contact the unintended recipient
• Report the breach to your licensee or compliance officer
• Assess the risk of harm (based on the type of info and who received it)
• If risk is high, notify the affected client and the OAIC as required
• Review your email processes and apply further controls (e.g. dual checks, password protection)

Key takeaway: Always check file attachments carefully. Mistakes like this are common—but preventable with better systems and habits.

8.3 Scenario: Using ChatGPT or AI Tools

What happened: You paste a chunk of client data into ChatGPT to help draft a goals summary or model an advice strategy.

What to do:

• Stop and check if the AI tool is public, unsecured, or based overseas
• Ensure client consent is in place before using such tools
• Only use AI platforms that meet security and privacy requirements (ideally, enterprise-level or private deployments)
• Never copy raw client data into publicly available AI tools

Key takeaway: Most public AI tools aren’t privacy-compliant for use with real client data. Always verify before using them for advice work.

8.4 Scenario: Client Wants Access to Their File

What happened: A long-standing client contacts you requesting a full copy of their advice file and all associated records.

What to do:

• Verify their identity using your standard process
• Gather the information and respond within 30 days
• Provide the data in a secure, accessible format (e.g. PDF with password protection)
• If access is refused for any reason, give clear written justification and appeal options

Key takeaway: Clients have a legal right to access their own information, and this process should be straightforward and respectful.

8.5 Final Adviser Responsibilities

• Always consider how you collect, use, store, share, and dispose of client data
• Keep privacy front-of-mind in every system and interaction
• When in doubt, ask: “Would I be comfortable if the client watched this happen?”
• Stay up to date with changes to privacy law and best practice
• Engage your licensee’s compliance team or privacy officer if unsure

Privacy isn’t a checkbox—it’s an ongoing commitment to respecting and protecting those you serve.