Speech by Timothy Pilgrim, Deputy Privacy Commissioner, to the Australian Bankers' Association Inc., Sydney, 14 March 2008.

Introduction to the Office

I would like to thank the ABA for inviting me to speak to you today.

During my presentation I want to provide you with detail, or at least as much detail as my time allows, on what our Office sees as the major privacy issues concerning AML regulatory reform and the federal Privacy Act.

I hope that I can also convey the importance of understanding Privacy Act obligations when considering the compliance requirements of AML regulation.

Introduction to the Office of the Privacy Commissioner

To begin, for those of you who may not be familiar with our work, I will say a few words on the role of the Office.

The Office of the Privacy Commissioner is an independent statutory body charged with assisting the Privacy Commissioner to fulfil a range of responsibilities under the Commonwealth Privacy Act 1988.  In December 2007, the Prime Minister announced that responsibility for the administration of the Privacy Act would move from the Attorney-General and his department to the Department of the Prime Minister and Cabinet. 

In many ways, the core of our work is related to the Commissioner's regulatory functions and in particular the investigation of the 1,100 or so complaints that we receive annually.

The Office takes a facilitative approach to its regulatory role.  We place a strong emphasis on working with Australian Government agencies and organisations to encourage information handling practices which protect individuals' privacy while at the same time recognising the need for businesses and agencies to carry out their functions.

In addition to this regulatory role, the Office also provides policy advice to government and performs an educational role, including in responding to approximately 18,000 calls and in excess of 2,000 emails we receive each year.

In seeking to promote and protect privacy, the Office recognises that the right to privacy is not absolute.  Privacy rights must be balanced with regard to other important and sometimes competing rights and interests.   The Privacy Act does this by providing a range of exceptions to its regulatory obligations, some of which I will mention today.

Overview of the Privacy Act

In providing an overview of the Privacy Act, I would start by noting its jurisdiction.  The Act provides protection for personal information that is handled by federal and ACT Government agencies, private sector organisations which have an annual turnover of more than $3 million, all health service providers (regardless of turnover), businesses that trade in personal information and Commonwealth contractors. 

In addition, the Act regulates credit worthiness information held by credit reporting agencies and credit providers, as well as individuals' tax file numbers.

I will limit my comments today to the private sector regulation established by the ten National Privacy Principles enacted in 2001.

An important starting point in understanding privacy regulation in Australia is that the federal Privacy Act is principle-based.   The aim of principle-based law is to promote the intentions and objectives of the law rather than to set down in detail what the regulated party may or may not do.

This principle-based approach provides the scope and flexibility for organisations to find their own ways to meet the requirements of the law in a manner that suits their particular circumstances, while meeting the broad policy intent of the regulation.

The Privacy Act also aims to be technology neutral.  It would be near impossible to keep statute law up to date during a period of significant technological change.

Within this framework, the Privacy Act also allows for co-regulation within a particular industry through privacy codes approved by the Privacy Commissioner, which may include special protections around a particular technology, practice or process.  This code making power, when coupled with the inherent flexibility of principle based law, does much to ensure that the Privacy Act remains relevant without being bound to changing social and technological contexts.

The meaning of 'personal information'

Within this principle-based, technology-neutral approach, lies the protection of individuals' 'personal information'. An understanding of what is, or is not, personal information is essential to understanding the potential scope of your compliance obligations.

The statutory definition of personal information refers to information or opinion about an individual whose identity is apparent or can be reasonably ascertained.  Whether an identity can be reasonably ascertained will be determined by the context in which that information is held.  This may include information that can be linked to or can identify a specific individual through association or inference.

In this sense, personal information does not always need to include an individual's name.

The National Privacy Principles

I will now say a few words on specific obligations established under the Privacy Act, before moving on to explain how they may apply to AML/CTF regulation.

Since 2001, the Privacy Act has included ten National Privacy Principles or 'NPPs'. These regulate the way private sector organisations handle personal information including regarding its collection, use and disclosure, security and destruction.

More tangibly, this regulation requires such things as:

• not collecting personal information that you don't need;
• telling consumers why you are collecting personal information and giving them access;
• in general, only using it for the purpose for which you have collected it; and
• keeping it secure, up-to-date and destroying it when you don't need it any more.

In addition, the NPPs recognise that some personal information, such as health related information, information about religious and philosophical beliefs, political opinions, membership of a political organisation or union, sexual preferences, criminal record and racial and ethnic origin, are all considered 'sensitive' and as such afforded a higher level of protection.  An organisation can usually only collect 'sensitive information' with consent and there are tighter restrictions on how it may be used and disclosed.

How does the AML/CTF Act interact with the Privacy Act?

In regard to how the Privacy Act interacts with AML regulation, perhaps the most significant matter is that the new AML/CTF regime has extended the scope of privacy regulation. 

Ordinarily, businesses with a turnover of $3 million or less are exempt from the Privacy Act.  

Now, under new legislation enacted as part of the AML/CTF Act, all small businesses that are reporting agencies for AML purposes are covered by the Privacy Act regardless of their annual turnover.  For large organisations, such as banks, this is unlikely to have any impact as they have been covered by the NPPs since 2001.  This extension of privacy regulation may, however, affect such smaller businesses as real estate agents, accountants, lawyers and notaries, as well as bookmakers.

Notably though, for these small businesses, the Privacy Act will only apply to personal information handled for AML/CTF purposes.  Personal information collected by these small business for purposes unrelated to AML will be unaffected.

In practice though, such reporting entities may find it less complex to simply handle all the personal information they collect as if it is covered by the Privacy Act.  This negates the need to try to distinguish between information that is covered and that which isn't.

Privacy Act obligations under AML/CTF regulation

So what does this mean for AML compliance and what do organisations need to do to ensure that they comply with both their AML and Privacy Act obligations?  I'm pleased to offer a few suggestions, which will focus on the key issues of:

• What personal information you may collect;
• What your customer should know; and
• How you should handle that information, including for how long you should keep it and what else you can use it for.

Collection of personal information for AML/CTF purposes

In regard to the collection of personal information, a key element of the AML/CTF Act is the necessity for a reporting entity to 'know your customer', including by ensuring that they hold sufficient information about individual customers to have a degree of certainty regarding their identity.  

The AML/CTF Act requires businesses to take a 'risk based' approach to assess the level of scrutiny that needs to be applied to their customers and their business activities, based on the risk that the customer may be conducting transactions to launder money or finance terrorism.  Obviously, the higher the risk, the more identification, collection and verification that may need to take place.  The crucial consideration here will be to determine what the appropriate level of collection of an individual's personal information is necessary in the context of the business activity taking place.  

You may need to ask yourself some key questions to guide what is the appropriate degree of personal information needed - these questions might include:

• How likely is it that your business will be engaged by those attempting to launder money or finance terrorist activity?
• What would be a reasonable standard of collection required by the AML/CTF Act for the particular transaction or series of transactions taking place?
• What would a reasonable standard of collection be under the terms of the Privacy Act, which requires that personal information must be necessary for one of its functions or activities.  

A key question that has emerged for reporting entities is whether the previous practice of requiring customers to provide 100 points worth of identity remains appropriate.  This practice, which was prescribed under the Financial Transaction Reports Act, specified how many points each of the various different forms of identity document were worth toward compiling a minimum 100 points of 'identity'.

The risk based approach to identity authentication has replaced this model.  Higher risk individuals require reporting entities to be more confident of their identity than lower risk.  In some cases, using the 100 point model may be appropriate if it aligns with the degree of risk posed.  In other cases though, you may not need to collect the equivalent of 100 points of identity to meet your AML obligations.  Accordingly, where individuals are low risk, you will need to carefully consider whether it remains necessary to collect the same quantity of information about them as you have in the past.  In this regard, it is important to remember your NPP 1 obligation to only collect personal information that is necessary for your activities.   For example, it is unlikely to be appropriate to be collecting the same amount of personal information about high and low risk individuals.

What should your customer know?

I will now turn to what the Privacy Act requires in regard to what your customers should know about how you handle personal information in an AML context, particularly in regard to what notice you provide and what access you permit.

In regard to notice, the Privacy Act states at NPP 1 that you must take reasonable steps to tell individuals why you are collecting their personal information, including whether it is required by a law, as well as how you will handle it.  This should generally be provided at the point you collect the information.  In addition, organisations are required by NPP 5 to make available a privacy policy that provides anyone with general information on how personal information might be handled by that organisation.

These practices are intended to promote openness and transparency in the handling of personal information.  In addition to being compliance obligations, they will also enhance consumer trust and confidence.

Obviously though, there may be times when it might not be appropriate to inform a customer that you have collected personal information, particularly in regard to suspicious transactions.  In such cases, what constitutes "reasonable steps" under NPP 1 might be to do nothing.

An additional obligation established by NPP 6 require reporting entities to grant their customers a right to access and, where necessary, have corrected personal information that you hold about them.  If an individual asks for access to information collected about them for AML purposes, this should generally be provided.   However, there is an exception to this general right of access, which provides that access may be denied where required by law.  In this regard, organisations may need to consider the prohibitions in the AML/CTF Act against 'tipping off' customers concerning suspicious matters information.

How should personal information collected for AML purposes be handled?

In regard to how organisations may handle personal information collected for AML purposes, it is important to keep this information secure.  For example, access to this information should be restricted only to personnel who are authorised to access it.  You also need to ask yourself if your technology systems and physical security are secure from unauthorised intrusion or browsing.

NPP 4 also requires that organisations take reasonable steps to destroy or permanently de-identify personal information when it is no longer required.  In determining how long such a period might be, you may wish to refer to any mandatory record retention periods in the AML/CTF Act. 

Reporting entities also need to take reasonable steps to ensure that personal information is accurate and up-to-date.  Promoting compliance with this obligation could usefully be built in to requirements to conduct on-going customer due diligence for AML purposes.

Another issue is the question of for whether AML information may be used for by reporting entities for other purposes. 

Generally speaking, NPP 2 states that organisations may only use or disclose personal information about an individual for the main or "primary" purpose for which it was initially collected. 

There are some exceptions to this, including:

• where the individual consents to the "secondary" use or disclosure;
• where it is required or authorised by law, such as where the AML/CTF Act may require reports be made to AUSTRAC of certain transactions; and
• where the secondary purpose is related to the primary purpose for which it was collected, or directly-related if the information falls within the definition of sensitive information, and the individual would reasonably expect this to happen.

If a reporting entitiy has no other reason for collecting personal information other than to meet its AML obligations, then generally it will not be permitted to use that information for any other purposes.

Care should also be taken to ensure that the only personal information that is collected is that which is necessary for AML purposes.  The opportunity should not be taken to collect more information on the basis that it may be useful for something else, either now or in the future.

Understanding privacy aspects of employee due diligence: HR policies and procedures

I would like to shift the focus a little now to talk about the privacy issues involved in employee due diligence in the context of the AML/CTF Act.   Depending on the circumstances, the AML/CTF Rules may require a great deal of personal information be collected about the people employed by reporting entities and will also require that this information be stored in employee records.

There is a risk that the collection of an employee's personal information may, in some instances, be disproportionate to the level of their workplace responsibilities or ability to engage in risky activities.  For instance, particular care should be taken when deciding whether an employer needs to collect 'sensitive information' about an employee as part of employee due diligence.

I should note here that personal information about private sector employees is generally exempt from the Privacy Act.  While AML requirements may require the collection of substantial personal information about staff, there is currently no regulation around how this information may be handled once it is collected.

However, the employer / employee relationship is an important one based on mutual trust, and one that needs sensitive management.  In the absence of specific privacy obligations for employee records, the Office's advice to you is to be clear and transparent at all times in how you handle employee's personal information.  Tell your employees why you need to collect this information.  If they understand the reasons you are collecting it they will be reassured and less likely to feel defensive about the level of personal information they are providing. 

The Office would further suggest that there is merit in handling employee records as though they are covered by the NPP.  Using these principles will help reassure employees they are being fairly treated, and that personal information about them will not be misused or mishandled, thus helping to maintain a relationship of trust.

Conclusion

When meeting your AML/CTF obligations, don't leave privacy compliance as an afterthought, or something that can be "bolted on" retrospectively.  Commonly, good personal information handling practices equate with good business practices, which in turn lead to trusting and loyal customers.

In conclusion, I would sum up the key elements to ensuring that reporting entities meet their obligations under the Privacy Act as being:

• only collect the minimum amount that is necessary to meet 'Know Your Customer' obligations;
• tell your customers for what purposes you are collecting personal information and how it will be handled;
• minimise any other purposes that you might use that information for, especially if the only reason you collect it is for AML compliance;
• keep your records accurate, up-to-date and secure.
• give your customers access to the information if they ask, and correct it where it is wrong; and finally
• destroy the information when it is no longer required. 

Should you have further questions, I would also note that our Office has provided dedicated AML guidance information which is available from the business page of our website at www.privacy.gov.au.

Thank you.