Privacy Policy

If you have any questions regarding the below DDH Privacy Policy, the operation of DDH Graham Limited (DDH), or your dealings with DDH, please email us through the Contact us page.



1. Introduction

DDH Graham Limited ABN 28 010 639 219 (referred to as “DDH”, “our”, “we” and “us”) and its named related entities below recognise that the privacy of your personal information is important to you and is committed to protecting the privacy of any personal information it collects from you. Unless you give us your consent to do otherwise, we will only collect and use your personal information as set out below. This is also the privacy policy for ESP Group Pty Ltd ABN 36 074 905 061.

DDH uphold high standards of privacy practices and security and abides by the Australian Privacy Principles (“APPs”) under the Privacy Act 1988 (Cth) (“the Act”). Whenever we handle personal information, we take steps to ensure that appropriate standards of privacy and security are applied.

This Privacy Policy outlines how we will handle and manage personal information that we collect about you. This Policy also describes how you can access or correct information we hold about you or how you can contact us, make a complaint, or ask further questions. You can obtain information about the APPs and your privacy rights at the website of the Office of the Australian Information Commissioner at


2. Exclusions

This policy relates to our collection and handling of personal information that is covered by the Act; it is not intended to cover categories of personal information not covered by the Act.


3. What information do we collect?

DDH collects and holds personal information from clients, customers, employees, contractors, and other individuals.

We collect personal information that is necessary for us to provide you with quality products and services, consider applications you make to us, maintain your contact details and to fulfil our legal obligations under applicable laws and regulations such as those relating to taxation and Anti-Money Laundering and Counter Terrorism Financing.

This information may include:

  • name;
  • date of birth;
  • address;
  • telephone numbers;
  • email address;
  • occupation;
  • financial information, including assets, income, and superannuation details;
  • bank account details;
  • tax file number;
  • records of our interactions with you, including telephone, email and online; and
  • your enquiries or complaints

Where relevant we may ask you for other information, for example, qualifications and employment history if you are applying for employment with us. See the Employment Applications for more information.

We do not generally collect sensitive information about you unless required by applicable laws or rules. Sensitive information that we may collect includes information relating to:

  • Racial or ethnic origin;
  • political or religious beliefs;
  • criminal convictions;
  • membership of professional or trade associations or unions; and
  • health information.


4. How do we collect and hold your personal information?

We usually collect personal information in the following ways:

  • directly from you, either in person, in documents, by email, facsimile or via our websites. We may also collect information via telephone, where calls we receive from you may be recorded for quality assurance purposes.
  • from third parties, such as your employer, our related companies, financial advisers, stockbrokers, financial institutions, or Self-Managed Superannuation Fund administrators, where we have established accounts or other banking facilities in your name, business associates and business counterparties, lessors, and solicitors; and
  • from publicly available resources.


5. How do we store your information?

We keep personal information in physical and electronic records, at our premises and the premises of our service providers, which may include the processing and storage of this information in the cloud. Our cloud providers store this information in Australia.


6. Employment Applications

By providing personal details, submitting an application (including where you undertake video interviewing) or CV, or registering interest for employment with DDH, you will supply us with personal information, including your application data, gender, right to work status, educational history, and contact details (‘your information’). Please note that, once collected, DDH will only collect, use, and disclose your information where this is necessary for the administration of the recruitment process and, where applicable, your employment/engagement with DDH, or where DDH has a legitimate interest in processing the data. For example, this could be for the following purposes:

  • to assess and administer your application for employment/engagement in accordance with DDH’s recruitment and administrative practices (including conducting police and reference checks);
  • to communicate with you in relation to your application or other suitable roles within DDH;
  • to comply with any legal or regulatory obligations; and
  • internal reporting.

If your application is unsuccessful, DDH may retain your information on file for 1 year and may contact you if another role arises (if you apply for another role before the 1-year mark is reached, the 1-year period for all information will re-start from the date you apply for that subsequent role). When the 1-year mark is reached, DDH will make best efforts to either delete, anonymise, or put personal information about you ‘beyond use’ within a period of 3 months. Please contact DDH if you do not want use to retain your information on file. If your application is successful, DDH will retain your information as part of your employment records.

Any personal identification information (e.g., drivers licence details) that is held by DDH for the purpose of a police check application will be deleted upon receipt of the final police check from the relevant authority.


7. Collection of information from our websites

When using one our websites you may voluntarily disclose personal information to us. Our service provider logs the following information for statistical purposes: your server address, top level domain name (e.g. .com, .gov, .au, .uk, etc.), the date and time of your visit, the pages accessed, the documents downloaded, the previous site visited and the type of browser used. This information is used for internal purposes only and to effectively manage our website, including statistical purposes. None of this information specifically identifies an individual.

We will not seek to identify users or their browsing activities except as necessary to investigate or report any suspected unlawful activity, as required, or authorised by law or as reasonably necessary for the activity of an enforcement body.

Cookies are used on our website. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work or work more efficiently as well as to provide information (noted above) to the owners of the site.

For our customers who have online account access, there are cookies in place which cache login user details, to be used throughout the application for authorising transaction instructions. For those customers using the online application process, there are also cookies on our website that are being used to store data for the Application states as part of the Application Centre to allow users to retrieve the status of their Application.

Unless you have provided it to us otherwise than through the DDH website, we will only record your email address if you send us a message. In those circumstances, your email address will not be automatically added to any mailing list.


8. What are the consequences of not providing us with the information requested?

If you do not provide us with the requested personal information, or if the information you give us is incomplete or inaccurate, we may be delayed or prevented from providing you any products or services, carrying any transaction for you, providing information to you, processing any application, or otherwise meeting our obligations to you. If you choose not to provide your tax file number , and do not claim an exemption, we are required to deduct tax on any income distribution at the prescribed rate plus Medicare levy.


9. How do we use your personal information?

We use the personal information we collect primarily to provide you with a range of products and services, to meet our obligations to you and to enable us to conduct our business, including:

  • administering and reporting to you on a variety of investment products, carrying out investments on your behalf as well as managing and reporting to you on your investments;
  • providing you with superannuation administration services and insurance claims processing;
  • establishing accounts or other banking facilities on your behalf with third party financial institutions, and administering your accounts or other banking facilities;
  • negotiating and documenting leases and related decisions; communicating operational matters in relation to tenancies; and arranging for the sale of premises;
  • conducting our internal business operations (including meeting any relevant legal requirements);
  • testing new systems of functionality for product improvement purposes (in a controlled environment);
  • managing client relationships and improving the services we provide; and
  • assessing applications for employment.

We may also anonymise your data for our own purposes including new product development; and from time to time use your personal information to provide you with information about financial and superannuation products and services or events which we expect may be of interest to you, through our newsletters and other promotional materials. However, we respect your right to ask us not to do this.


10. Electronic Verification

To meet our obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) with your consent, we may use your personal information to verify your identity through the process of electronic verification. We may also perform the same process to re-identify you, from time to time. We will disclose your personal information to our service provider for electronic verification, who will match and exchange your personal information with external data sources, via the Australian Governments document verification service (DVS) which allows organisations to compare individuals ID information with government records. If you do not consent to us verifying your identity electronically, we will provide you with an alternate verification process.


11. To whom do we disclose personal information?

We will only disclose personal information for the purposes for which it was collected or in the following circumstances:

  • internally to our staff;
  • to any entity owned or controlled by DDH
  • to our related bodies corporate;
  • to any person where necessary or desirable in connection with the provision of our products or services, including to financial institutions where we may establish accounts or other banking facilities on your behalf;
  • to our professional advisers such as auditors, accountants and lawyers, insurance companies, property managers, consistent with normal business practices;
  • to your nominated financial advisers or agents with your permission;
  • to Superannuation Trustees and Promotors;
  • to third parties we may engage from time to time to assist us in the promotion of our products and services, and who may receive limited personal information for that purpose;
  • to external service providers (on a confidential basis) so they can provide us services related to our business, for example mailing services, IT services, unit registry and custodial services, archives services, and off-site secure data storage providers. We require our service providers to adhere to our Privacy Policy and not to keep, use or disclose personal information we provide to them for any unauthorised purpose;
  • where required or authorised by law;
  • where you consent to the disclosure; and
  • we do not sell personal information for marketing purposes to other organisations or allow other companies that we have shared your information with, to do this.


12. Cross-border disclosure of personal information

In some circumstances the parties with whom we share personal information may operate outside of Australia, as a result, your personal information may be disclosed to a recipient in a foreign country, including in India, New Zealand, and the United Kingdom. Where this occurs, we require the recipient to take steps to protect personal information against loss, misuse and unauthorised access, modification, or disclosure.


13. How secure and accurate is your personal information?

We will take reasonable steps to ensure that all personal information we collect or use is:

  • accurate, complete, up-to-date, relevant, and not misleading;
  • stored in a secure environment; and DDH
  • protected from misuse and loss as well as unauthorised access, modification, or disclosure.

If any of your details change, please let us know as soon as possible by using the contact details below so we can maintain the accuracy of your personal information


14. Data breach notification

We acknowledge the introduction of a mandatory data breach notification scheme which commenced on 22 February 2018. In the event of an ‘eligible data breach’ we will promptly notify the Office of the Australian Information Commission and any affected or at-risk individuals. Generally speaking, this would be when we have reasonable grounds to believe that there has been unauthorised access or disclosure of personal information, or that the information has been lost in a way that is likely to give rise to unauthorised access or disclosure. Importantly, we are only required to make a notification where there is a likely risk of serious harm as a result of the unauthorised access or disclosure.

If we notify you of a breach, where possible we will provide recommendations as to the steps you should take regarding the breach.

There are a few exceptions that apply in relation to our obligation to notify you of an eligible data breach. These include where we have taken sufficient remedial action before any serious harm is caused.


15. How can you access and correct your personal information?

You have a right to access personal information we hold about you. We will comply with any request to access your personal information that you send us by email except where the Act or the APPs allow us to refuse to do so. There is no fee for making a request to access your personal information, but we may charge a fee for giving you access to your personal information in a mutually agreed format, usually by sighting the accessible information held on file.

You also have the right to ask us to correct information about you that is inaccurate, incomplete, out-of-date, irrelevant, or misleading. If we refuse to correct your personal information as requested, we must:

  • notify you in writing of the reasons for the refusal unless it would be unreasonable to do so, and how to complain of the refusal; and
  • upon request from you that we associate a statement that the information is inaccurate, incomplete, out-of-date, irrelevant, or misleading, take such steps are as reasonable in the circumstances to associate such a statement so that it will be apparent to users of the information.


16. DDH links to other websites

Sometimes the DDH website may contain a link to third party websites. We are not responsible for the content or material contained in, or obtained through, any third-party website or for the privacy practices of the third-party website. We suggest that you review the privacy policy of each website that you visit.


17. How can I contact DDH?

If you have any questions or complaints about how we handle your personal information, you can contact our Privacy Co-ordinator, being our Head of Compliance, on 1800 226 174 during business hours or email.

We will consider and respond to any complaint notified to us within 30 days. We will always endeavour to resolve any complaint to your satisfaction. Further details about how we handle complaints can be found in our Financial Services Guide.


18. Australian Privacy Commissioner

If you are not satisfied with the way in which we handle your enquiry or complaint, you can contact the Office of the Australian Privacy Commissioner


19. Changes to this Privacy Policy

This is our current Privacy Policy outlining our personal information management practices. This Policy replaces any other privacy policy published by us to date. We may vary this policy from time to time. We encourage you to review the DDH website regularly to ensure that you are aware of our current Privacy Policy.