Privacy & Whistleblowing Policy


When does this policy apply?

This policy sets out the principles that Mulpha Australia Limited and its subsidiaries (Mulpha/we/us/our) adopt in the conduct of our business in order to protect your personal information. A number of our subsidiaries engage in activities under other brands. You can contact the Mulpha Group Privacy Officer to verify the details of the corporate group entity that this policy applies to. You can obtain a copy of this policy from our website at or by contacting our Privacy Officer whose details are set out below.


Protecting Your Privacy
Mulpha are committed to providing you with exceptional service, and this includes protecting your privacy and being open and transparent about what we do with your personal information. We aim to maintain a safe and secure system of handling your personal information, whilst still providing access to your personal information when required. For this reason, we aim to ensure that your personal information is handled in strict compliance with the Australian Privacy Principles (APPs) which are part of the Commonwealth Privacy Act 1988.


This Policy

This policy explains what kind of information we collect and hold; how and why we collect, hold and use it; and how and to whom we disclose that information. It also provides details about how you may access and seek correction of the personal information that we hold about you, and what you can do if you are not satisfied with how we have dealt with your personal information.


What is Personal Information and how do we collect it?

Personal information is information or an opinion (whether true or not and whether recorded in a material form or not) about an individual from which they can be reasonably identified. Depending on the circumstances, we may collect personal information from an individual in their capacity as a client, customer, contractor, stakeholder, job applicant or in some other capacity.


In the course of our business and providing products and services we collect and hold:

  • Personal Information including names, addresses and other contact details; dates of birth; and financial information.
  • Sensitive Information including government identifiers (such as TFN), nationality, country of birth, professional memberships, family court orders and criminal records.

As part of our recruitment processes for employees and contractors, we may collect and hold:

  • Personal Information including names, addresses and other contact details, dates of birth, financial information, citizenship, employment references, regulatory accreditation, media, directorships, property ownership and driver’s licence information.
  • Sensitive Information including government identifiers (such as TFN), nationality, country of birth, professional memberships, family court orders and criminal records.

Generally, we will seek consent from you in writing before we collect your sensitive information.


We only collect personal information about you that is necessary for us to carry on our business functions. The information we collect about you depends upon the nature of our dealings with you. Generally we only collect personal information from you, unless it is not reasonable or practical to do so in which case we may also collect personal information about you from third parties.


Information we collect from you
We collect personal information from you during your interactions with us, for example if you:

  • make an enquiry about our properties, products or services, or visit our properties;
  • phone, email or write to us, or visit our website;
  • make a reservation to dine or stay with us, or have an event with us;
  • become a member of one of our clubs or provide your details for our mailing list;
  • purchase our services or products online;
  • propose to provide, or provide goods or services to us or our customers;
  • receive goods or services from us, or agree to receive goods or services from us;
  • make an application to invest with us;
  • make an application for finance from us;
  • or another individual is injured during your interaction with us
  • or another individual makes a complaint or where there has been a threat or damage to personal property.

We may collect information based on how you use our website. We use ‘’cookies’’ and other data collection methods to collect information on website activity such as the number of visitors, the number of pages viewed and the internet advertisements which bring visitors to our website. This information is collected to analyse and improve our website, marketing campaigns and to record statistics on web traffic.


If you access your account with us online through a secure area of our website, we will collect your personal information using cookies. This is designed to track the use of our website and to allow our customers to effectively access their account information.  This information is collected for security purposes and to protect the integrity of account details.


Information we collect from others

We collect personal information about you from third parties such as:

  • our service providers. For example when you make an enquiry about our properties, products or services to our service provider who assists us in providing our products or services to you;
  • booking agents. For example when you enquire or make a reservation through a third party booking agent to dine or stay with us, or have an event with us;
  • other goods or service providers, and our clients. For example when you provide a trades or finance reference as part of entering into an agreement with us and you have agreed for your personal information to be shared with us
  • your financial advisor, accountant, agent, or third party intermediaries and you have agreed for your personal information to be shared with us;
  • someone that is appointed as your personal representative, attorney or legal representative;
  • third parties to whom you have provided your personal information and consented for that information to be shared with us.


Sensitive information

We only collect sensitive information if it is:

  • required by applicable laws or rules
  • reasonably necessary for one or more of our business functions or activities, and we have your consent;
  • necessary to lessen or prevent a serious threat to life, health or safety.


Customer rights
Wherever it is lawful and practicable, we will give you the option of not providing information when dealing with us.  However, in most cases, if you do not provide the full and complete information requested we will be unable to provide our products or services to you.


Using your information
We only use your personal information for:

  • the reasons we collected it, that is where it is reasonably necessary for one or more of our business functions or activities (the primary purpose),
  • a related secondary purpose that would be reasonably expected by you;
  • the purposes set out in this policy;
  • an activity or purpose to which you have consented.


We use your personal information so we can, amongst others:

  • establish and verify your identity;
  • provide, manage and administer the provision of our goods and services to you;
  • process a payment, including credit card payment;
  • assess your application for any financial product or finance (including where you have consented to act as a guarantor);
  • contact you and manage our relationship with you;
  • identify and tell you about other products or services that we think may be of interest to you (unless you tell us not);
  • conduct, manage and improve our business and our customers experience;
  • design, price and administer our products and services;
  • manage our risks and identify and investigate illegal activity, such as fraud, bribery or corruption; and
  • comply with our legal obligations such as under the such as under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act and AML/CTF Rules) and assist government and law enforcement agencies or regulators.

We may also collect, use and exchange your information in other ways where required by law or permitted by Privacy Act 1988.

Direct marketing
If you don’t want to receive direct marketing, you can tell us by emailing us and telling us which list you would like to be removed from at or write to us at Level 5, 99 Macquarie Street Sydney, NSW 2000 Australia. If we undertake direct marketing we acknowledge that we are bound by the Spam Act 2003 and the Do Not Call Register Act 2006.

Using government identifiers

If we collect government identifiers, such as your tax file number, we do not use or disclose this information other than required by law. We will never use a government identifier in order to identify you.

Disclosing your information
The reasons for disclosing your personal information and the parties to whom we might disclose it will be reasonably apparent to you when we collect your information. Our disclosure of your personal information will only be in connection with our business activities or where you have given consent. Where personal information is disclosed to any third party we will take reasonable steps to ensure that the person receiving your personal information keeps it confidential and does not misuse it or improperly disclose it to any other person.

Personal information may be shared between different entities within the Mulpha Group but where this occurs the principles contained in this policy will continue to apply to it.

We may disclosure your personal information to following parties:

  • our product and service providers who provide, manage or administer our properties, products or services on our behalf;
  • our product and service providers who assist us to provide, manage or administer our properties, products or services to you;
  • consultants and contractors and their sub-contractors who provide services to us;
  • our representatives, associates, joint venture partners, partners, agents;
  • our professional advisors;
  • those to whom we outsource certain functions, for example, postage, marketing, printing, accounting, administration, debt recovery and IT support;
  • referees provided by you to us;
  • insurers and re-insurers;
  • auditors;
  • any person considering acquiring an interest in our business or assets;
  • any organisation providing verification of your identity (including information you have told us as part of AML/CTF Know Your Customer checks), or bank account, credit card or other payment information;
  • claims-related providers, such as assessors and investigators, who help us with claims;
  • financial institutions, for example so that we can process a claim for mistaken payment;
  • government and law enforcement agencies or regulators;
  • any industry body, tribunal, or court;
  • entities established to help identify illegal activities and prevent fraud;
  • any person where we are required by law to do so; and
  • any person or organisation where you have given your consent.


We will not sell your personal information to other organisations.


Credit information

We may collect the following kinds of credit information and exchange this information with credit reporting bodies and other entities:

  • credit liability information being information about your existing finance which includes the name of the credit provider, whether the credit provider holds an Australian Credit Licence, the type of finance, the day the finance is entered into, the terms and conditions of the finance, the maximum amount of finance available, and the day on which the finance was terminated;
  • repayment history information which is information about whether your meet your repayments on time;
  • information about the type of finance that you are applying for;
  • default and payment information; and
  • court proceedings information.


We exchange this credit information for the purposes of assessing your application for finance and managing that finance (including where you have consented to act as a guarantor to the provision of finance by us). For how this credit information may be held by us refer to ‘Storage and Security of Personal Information’ below. When we obtain credit information from a credit reporting body about you, we may also seek publicly available information and information about any serious credit infringement that you may have committed. We may disclose your credit information to overseas entities that provide support functions to us. Please see the heading ‘Disclosure of your personal information to overseas recipients’ below.


Notifiable matters

The law requires us to advise you of ‘notifiable matters’ in relation to how we may use your credit information. You may request to have these notifiable matters (and this privacy policy) provided to you in an alternative form.

We exchange your credit information with credit reporting bodies. We use the credit information that we exchange with the credit reporting body to assess your creditworthiness, assess your application for finance and managing your finance.

If you fail to meet your payment obligations in relation to any finance that we have provided or arranged or you have committed a serious credit infringement then we may disclose this information to a credit reporting body.

You have the right to request access to the credit information that we hold about you and make a request for us to correct that credit information if needed. Please see the headingsHow do you access your information?’ and ‘How do you Correct or update your information?’ below.


Sometimes your credit information will be used by credit reporting bodies for the purposes of ‘pre-screening’ credit offers on the request of other credit providers. You can contact the credit reporting body at any time to request that your credit information is not used in this way.

You may contact the credit reporting body to advise them that you believe that you may have been a victim of fraud. For a period of 21 days after the credit reporting body receives your notification the credit reporting body must not use or disclose that credit information. You can contact any of the following credit reporting bodies for more information:,,, or


Disclosure of your personal information to overseas recipients
We may disclose your personal information to an overseas organisation in the course of providing our goods or services to you, for example if any of the above named parties are located overseas, or directly to our own offices or agents in an overseas location, or when storing information with a “cloud service provider” which stores data outside of Australia. Where we do this, we make sure as far as reasonably possible that:

  • we have your consent (which may be implied);
  • we have satisfied ourselves that the overseas recipient is compliant with the Australian Privacy Principles, or a similar privacy regime;
  • appropriate data handling and security arrangements are in place;
  • we form the opinion that the disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety; or
  • we are taking appropriate action in relation to suspected unlawful activity or serious misconduct.

Please note that some of these overseas recipients may not operate in countries which have a similar privacy regime to Australia.


Storage and Security of Personal Information
We store personal information in a variety of formats including, but not limited to:

  • databases
  • hard copy files
  • personal devices, including laptop computers
  • third party storage providers such as cloud storage facilities
  • paper based files.


We take all reasonable steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure. These steps include, but are not limited to:

  • Restricting access and user privilege of information by staff depending on their role and responsibilities.
  • Ensuring staff do not share personal passwords.
  • Ensuring hard copy files are stored in lockable filing cabinets and/or in lockable rooms. Staff access is subject to user privilege.
  • Ensuring access to our premises is secured at all times.
  • Ensuring our IT and cyber security systems, policies and procedures are implemented and up to date.
  • Ensuring staff comply with internal policies and procedures when handling the information.
  • Undertaking due diligence with respect to third party service providers who may have access to personal information, including customer identification providers and cloud service providers, to ensure as far as practicable that they are compliant with the Australian Privacy Principles or a similar privacy regime.
  • The destruction, deletion or de-identification of Personal Information we hold that is no longer needed, or required to be retained by any other laws.


Our public website may contain links to other third-party websites outside of the Mulpha Group. We are not responsible for the information stored, accessed, used or disclosed on such websites and we cannot comment on their privacy policies.


Responding to data breaches

We will take appropriate, prompt action if we have reasonable grounds to believe that a data breach may have, or is suspected to have occurred. Depending on the type of data breach, this may include a review of our internal security procedures, taking remedial internal action, notifying affected individuals and the Office of the Australian Information Commissioner (OAIC).

If we are unable to notify individuals, we will publish a statement on our website and take reasonable steps to publicise the contents of this statement.


The Quality of Personal Information

We take all reasonable steps to ensure the Personal Information we hold, use and disclose is accurate, complete and up-to-date, including at the time of using or disclosing the information.

If we become aware that the Personal Information is incorrect or out of date, we will take reasonable steps to rectify the incorrect or out of date information.


How do you access your information?
You may ask us what personal information we hold about you, and you may make a request to access to this information at any time. You may make a request by us by contacting our PRIVACY OFFICER (see below contact details). We may ask you to complete a PERSONAL INFORMATION REQUEST FORM and will process your request within a reasonable time and try to make this information available within 30 days of your request. Before we give you the requested information we will need to confirm your identity.

We generally will not charge you a fee in respect of such access but reasonable administrative costs may be charged in some circumstances. If there is an access charge, we will give you an estimate first and ask you to confirm that you would like us to proceed, if you would like us to we do require payment up front. Generally, the access charge is based on an hourly rate plus any other reasonable costs incurred by us such photocopying and postage. We do not need to provide access to your information in several circumstances; for example, the information is commercially sensitive, the request is frivolous or would unreasonably interfere with another person’s privacy or be in breach of the law, or, where to provide access would pose a threat to health or public safety. If we refuse you access we will advise you of our reasons for doing so.


How do you Correct or update your information?
You may ask us at any time to correct the information we hold about you or that we have provided to others us by contacting our PRIVACY OFFICER (see below contact details). We will process your request within a reasonable time and try to correct the information within 30 days. If it looks like it will take longer, we will let you know the reason for the delay and try to agree to an extended timeframe with you.

If we are able to correct your information because it is indeed inaccurate we will inform you when it is so corrected.

If we disagree with you that the information is inaccurate and should be corrected, we will inform you in writing of our reasons. You may request that we attach a statement to that relevant information noting that you consider it is inaccurate misleading, incomplete, irrelevant or out-of-date. We will take reasonable steps to comply with such a request.


What can you do if you have a complaint?
If you are not happy in respect of how we have dealt with your personal information or in gaining access to it, please contact our PRIVACY OFFICER to discuss your concerns (see below contact details). We will respond to the complaint within a reasonable time (usually no longer than 30 days) and we may seek further information in order to provide a full and complete response. If we do not resolve your complaint to your satisfaction or we are unable to resolve your complaint you have the right to refer the matter the Office of the Federal Privacy Commissioner – Privacy Hotline on 1300 363 992 or visit their website at  or writing to GPO Box 5218 Sydney NSW 2001. A referral to OAIC should be a last resort once all other avenues of resolution have been exhausted.

How to contact us:

Address: Mulpha Group Level 5, 99 Macquarie Street  Sydney, NSW 2000 Australia
Phone: +61 2 9270 6186  Email:


Changes to our privacy and information handling practices

This Privacy Policy is subject to change at any time. Please check our Privacy Policy on our website regularly for any changes.


This Privacy Policy was approved by the Board on 28 February 2018.




In line with better practice and good corporate governance, the Board of Directors (“Board”) of Mulpha International Bhd and its subsidiaries (collectively, “Mulpha”) has adopted a Whistleblowing Policy & Procedure (“Policy”) to ensure high standards of conduct and ethical behaviour across the business and to ensure that individuals who disclose wrongdoing (“Whistleblowers”) can do so safely, securely and with confidence that they will be protected and supported. This Policy articulates the avenues through which employees and other stakeholders can raise genuine
concerns of actual or suspected misconduct (“Reportable Conduct”). For the purposes of this Policy, Reportable Conduct refers to any contravention of Mulpha’s ethical, internal policy or legal standards; including fraud, bribery and corruption. The Board is committed to ensuring that all disclosures of Reportable Conduct are treated confidentially, with individuals having the option to remain anonymous should they so choose, and that  whistleblowers be afforded protections including avoiding fear of intimidation, disadvantage or reprisal (“Detrimental Conduct”). This Policy should be read in conjunction with Mulpha’s Code of Conduct and Conflicts of Interest Policy.


This Policy applies to all current and former directors, employees, officers, contractors and consultants of Mulpha (including their spouses, dependants and other relatives). These individuals are encouraged to report any genuine concerns about matters, transactions or behaviour that they feel contravenes Mulpha’s policies, standards and/or obligations. Reportable Conduct within the scope of this Policy includes, but is not limited to:

  • conduct or practices which are illegal or breach any law or Listing Requirements of Bursa Malaysia Securities Berhad;
  • dishonest, unethical or corrupt behaviour;
  • payment or receipt of a bribe/inducement;
  • theft, fraud or misappropriation of Mulpha’s assets/resources;
  • abuse of position or authority for personal gain; or
  • breach of internal policies.

Personal, work-related grievances, with no implications for Mulpha (for example, interpersonal conflicts between employees, or dissatisfaction about a performance outcome) are not considered Reportable Conduct
under this Policy. This excludes:

  • mixed reports or disclosures that include information about misconduct that are accompanied by a personal work-related grievance;
  • where there is an allegation, made in good faith, that employment or other laws have been breached or that conduct has occurred that represents a danger to the public; or
  • where the discloser suffers from or is threatened with detriment for making a disclosure.

Where a concern is raised in good faith, Mulpha will investigate and deal with substantiated misconduct in an appropriate and timely manner.



For the purposes of this Policy and in accordance with AS 8001-2008, Mulpha defines fraud, bribery and corruption as follows:

(a) Fraud is any dishonest activity causing actual or potential financial loss to any person or entity that involves the use of deception. Fraud includes theft of monies or other property, as well as the deliberate falsification, concealment, destruction or use of falsified documentation. It also includes the improper use of information or position for personal financial benefit (irrespective of whether the benefit is obtained by the offender or a third

(b) Bribery is the act of paying a secret commission to another individual. It is also used to describe the secret commission itself. More broadly, the payment of a bribe has the intention to alter the behaviour of the recipient, whether the recipient is a natural person or an entity/company.

(c) Corruption is any dishonest activity in which an employee acts contrary to the interest of the entity and abuses his/her position of trust in order to achieve some personal gain or advantage for him or herself or for another person or entity.


  • Malaysia
    Under the Whistleblower Protection Act 2010 (Malaysia), an individual that provides information disclosing an act of improper conduct to a relevant enforcement agency in good faith and on honest and reasonable grounds is entitled to certain protections and immunities. This includes protection of confidential information, immunity
    from civil and criminal action, and protection against detrimental action. These protections may be revoked under certain conditions, and it is therefore advised that individuals wishing to make a disclosure under the Whistleblower Protection Act 2010 seek legal advice.
  • Australia
    The Corporations Act 2001 (Corporations Act) and the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 provide a consolidated Whistleblower protection regime for Australia’s corporate sector. Individuals are entitled to disclose Reportable Conduct to eligible internal recipients but also to legal practitioners or Regulators, and in certain circumstances to journalists or members of parliament, and have the report treated confidentially and be protected from Detrimental Conduct. While individuals disclosing Reportable Conduct are protected from any civil, criminal or administrative liability arising from the act of the disclosure (including where there is a breach of an employment contract, duty of
    confidentiality or other contractual obligation), individuals are not granted immunity from prosecution for any
    misconduct revealed by their disclosure.


In the event an employee or other individual becomes aware of an actual or suspected case of misconduct breach of ethical or legal standards, they should report their concerns to their immediate supervisor. However,
where the individual feels uncomfortable speaking with their manager, or their manager is involved in the alleged misconduct, reports should be made to a designated Whistleblowing Officer. Making a report to a
Mulpha Whistleblowing Officer is necessary to qualify for protections under the Corporations Act.

Group Internal Audit & Risk Manager
Phone: +61 2 9239 5500
Transport House
Level 5, 99 Macquarie Street
Sydney NSW 2000

Individuals may also elect to disclose Reportable Conduct directly to ASIC, APRA or another regulatory body (collectively “Regulators”). In addition, Whistleblowers may choose to disclose Reportable Conduct to a journalist or member of parliament, provided that certain requirements are met qualifying the report as either a “public interest” or “emergency disclosure”. These requirements include that the alleged misconduct must
be reported to a Regulator before being disclosed to a journalist or a  member of parliament in circumstances where they believe that the misconduct is a matter of public interest. In circumstances where there is a
substantial and imminent danger to the health or safety of one or more persons or to the natural environment, an emergency disclosure may be made to a journalist or member of parliament without prior disclosure to a
regulator. It advised that any employee wishing to make such disclosures seek independent legal advice. To assist individuals who wish to make a report, a “Whistleblowing Report Form” is attached to this document as an Appendix. Whistleblowers and those receiving a complaint are encouraged to use this form as a means of capturing pertinent information that will form the basis of any subsequent investigation.


An individual can elect to make a report anonymously or can choose to identify himself/herself. Mulpha recognises that the provision of anonymity to any individual/employee who willingly comes forward to report a suspicion of fraud is sometimes necessary to enable reporting. However, where an anonymous report is made, Mulpha will not be able to keep the Whistleblower informed on the progress of the investigation or seek
additional information to assist with inquiries. This may hinder Mulpha’s investigation. Where the identity of the Whistleblower is known, Mulpha will ensure that the individual is kept informed of the actions taken in relation to the report. All reports received, whether anonymously or otherwise, will be treated confidentially.
All reasonable effort will be made to maintain the confidentiality of the Whistleblower, in particular, the fact that a report has been filed, the nature of the reported conduct and the identity of the person(s) alleged to have engaged in said conduct. Any information coming into the possession of a person from a Whistleblower, the identity of the Whistleblower
or information which may lead to their identity will not be disclosed to anyone who is not involved in the investigation without prior consent of the Whistleblower, unless obliged to do so by law. Employees will not be discriminated against or disadvantaged in their employment as a result of making a report in good faith in accordance with this Policy.
Disclosing the identity of individuals, failure to treat disclosures with due confidentiality and taking Detrimental Conduct towards a protected Whistleblower (as a result of making a report) are crimes. Mulpha does not
tolerate any attempts to retaliate against individuals who have made  reports. Any employee found to have instigated Detrimental Conduct against a Whistleblower will face disciplinary action. Detrimental Conduct
includes any of the following:

  • dismissal of an employee;
  • harm or injury of an employee, including psychological harm;
  • alteration of an employee’s position or duties to his or her disadvantage;
  • discrimination between an employee and other employees of the same employer;
  • harassment or intimidation of a person;
  • damage to a person’s property, reputation or financial position; and
  • any other damage to a person.


If a Whistleblower feels they have been the subject of Detrimental Conduct as a result of their report, they can report this to a Mulpha Whistleblowing Officer for investigation. Where founded, appropriate action will be
taken. Individuals alleging Detrimental Conduct may seek compensation and other remedies through the courts and are encouraged to seek independent legal advice.


All reports of alleged misconduct will be investigated in a confidential and discreet manner. Investigations will adhere to the principles of  independence, objectivity, confidentiality and natural justice. Each instance of alleged misconduct will be investigated by the Group Internal Audit & Risk Manager, with the assistance of subject matter experts as and when required. This may include involvement of senior management from Human Resources, Legal, Compliance and Company Secretariat.
Where the identity of the Whistleblower is known, the investigating officer may request additional information or a written statement to assist in the collation of facts and substantiation of claims. Where an allegation is substantiated, Mulpha will take appropriate action. This may include, but is not limited to dismissal, disciplinary action, referral to external authorities, training and internal control enhancement. The outcomes of all whistleblowing investigations will be provided to the Mulpha Board Audit Committee, with the Group Internal Audit & Risk Manager reporting on whistleblowing activities each quarter.


As described above eligible persons who disclose Reportable Conduct in accordance with this Policy qualify for protection under law, including protection of their identity and from Detrimental Conduct, even where the
disclosure turns out to be incorrect, as long such disclosures are made in good faith. However, where an employee is found to have made a report that is malicious, purposefully misleading or deliberately untrue, the
making of the report will be regarded as misconduct and may be subject to disciplinary action.


This policy will be reviewed at least annually or as required if there are material changes to the applicable legal or regulatory framework.
Training is provided to employees about their rights and obligations under this policy including induction training for new starters. The policy is displayed both on Mulpha’s intranet and site noticeboards. This policy
is available on the Mulpha Corporate website.

All queries regarding this Policy should be directed to the Group Internal Audit & Risk Manager.

This Policy was updated following release of the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (Whistleblower Protections Act).
The Policy was last reviewed and approved on 29 November 2019.