Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Law enforcement and national security
 

Consultation on the Exposure Draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005; Submission to the Attorney-General's Department (April 2006)

document icon pdf (117.35 KB)


Submission by the Office of the Privacy Commissioner to the Attorney-General's Department

April 2006

Summary

  1. The Office accepts the public interest in ensuring that Australia's financial regulatory systems and procedures incorporate appropriate responses to the risks of money laundering and terrorist financing (paragraphs 31-34).
  2. When developing such responses, it is essential that any measures which may adversely affect the privacy of Australians are necessary and proportionate to both the nature and degree of risk that exists (31-34).
  3. The Exposure Bill would benefit significantly from having a Privacy Impact Assessment conducted (35-38).
  4. This submission notes that some, but probably not all, reporting entities will have obligations under the Privacy Act 1988 as to how they handle personal information collected pursuant to Exposure Bill. It remains unclear though, whether the coverage and content of the NPPs is adequate for the purposes of the regime envisaged under the Exposure Bill (20-30).
  5. This submission proposes a range of options for introducing consistent privacy regulation over all entities that may handle personal information under the terms of the Exposure Bill (39-53).
  6. The Office submits that the replacement of the existing regulation with new legislation, with its greater scope and impact, does not, of itself, necessarily justify the continuance of the present data-sharing arrangements so as to permit access to the welfare and assistance agencies (54-61).
  7. It is recommended that access by other agencies to AUSTRAC-held data be limited to more precisely defined purposes and be subject to additional transparency and oversight (62-64).
  8. The Office suggests that any prescribed period for which reporting entities must retain personal information be determined with reference to the specific purpose for which that information was initially collected (66-67).
  9. The Office submits that the Exposure Bill appears to establish a "suspicious matters" reporting regime that goes beyond the policy intent of the regulation. In light of the extension of the AML/CTF regime to new entities and transactions, consideration should be given to narrowing this provision to ensure that it sits more comfortably with the policy intention of addressing major crime and enforcing AML/CTF measures (68-75).
  10. The Office recommends that privacy protections should be built into the suspicious matters reporting regime, including qualified rights of access and correction to suspicious matters information, as well as narrowing the purposes for which information may be used or disclosed and the periods for which it may be retained (76-89).
  11. The Office notes that the threshold amount for a significant transaction report has remained constant for over 15 years and may warrant re-examination. The Office also suggests that examination be made of the provision in the Exposure Bill concerning the making of regulations prescribing 'threshold transactions' of less than $10,000 value (90-95).
  12. In absence of the full suite of envisaged statutory Rules accompanying the Exposure Bill, the Office can see merit in the Bill being deferred until the entire AML/CTF package can be adequately examined. Mandatory consultation should be a requirement for any further Rules or amendments (96-99).
  13. The Office generally advocates the need for appropriate justification and proportionality in the granting of search, entry and questioning powers that entail the collection of personal information. It is important to balance the privacy protections with the potential collection and use of the information (105-108).

Office of the Privacy Commissioner

  1. The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) (Privacy Act), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Introduction

  1. The Office welcomes the opportunity to make this submission to the Attorney-General's Department's inquiry into the Exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005 (the Exposure Bill).
  2. The Office has also made a submission to the Senate Legal and Constitutional Committee's Inquiry (the Senate Inquiry) into the Exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005. In addition, the Office provided evidence at the public hearings for the Senate Inquiry.1 This current submission incorporates and elaborates on matters submitted to the Senate Inquiry, as well as introducing additional issues, including:

Scope of existing regulation

  1. At present, the Financial Transactions Reports Act 1988 (FTR Act) regulates the reporting of certain financial transactions to AUSTRAC. The FTR scheme was designed to protect the Australian financial system against tax evaders and money launderers.2 At present, a number of agencies, including welfare and assistance agencies, utilise the financial transactions data currently collected by AUSTRAC under the FTR Act. As an Australian Government agency, AUSTRAC is covered by the Privacy Act.
  2. The Office understands that, in the 2004-05 financial year, AUSTRAC received 17,212 suspect transaction reports, 2,288,373 significant cash transaction reports and 10,243,774 international funds transfer instructions.3 The Offices notes that the various categories of reporting have increased significantly since the regime was established. In addition, the volume of these reports is likely to increase significantly with the Government's proposed 'second tranche' of reforms, which will prescribe real estate agents, jewellers, accountants and lawyers as reporting entities.

Scope and effect of the Exposure Bill

  1. The Office understands that the Exposure Bill aims to enact the Australian Government's response to the recommendations of the Financial Action Task Force (FATF) on Money Laundering.4
  2. The Exposure Bill requires, amongst other things, for 'reporting entities' that provide 'designated services' to:
    • carry out identification and verification procedures concerning individuals before providing that service;
    • report to AUSTRAC on 'suspicious matters', transactions that meet threshold criteria5 and international funds transfer instructions;
    • develop and implement anti-money laundering and counter-terrorism financing programs for the purpose of identifying and "materially mitigating" risks; and
    • maintain ongoing "due diligence" of the risk profile of their clients and report suspicious behaviour detected by such surveillance to AUSTRAC.
  3. The Exposure Bill, as the Office understands it, provides a legislative framework, with implementation to proceed in two tranches. Operational details will be prescribed by binding AML/CTF Rules, made under section 191 of the Exposure Bill. The Exposure Bill (and related Rules) will, if enacted, supersede the FTR Act and significantly extend the reach and the impact of the FTR Act by extending the obligations on existing reporting entities and introducing many new entities to its regulation.
  4. The introduction of new reporting entities to AML regulation in the implementation of the second tranche of reforms will substantially increase the number of entities subject to the Bill compared with the FTR Act, thereby capturing a greater volume of personal information, which in turn, may be disclosed to AUSTRAC, and in some cases, made available to other Australian, State and Territory Government agencies. Accordingly, it is important that consideration of the Draft Bill should recognise the likely future impact of the second tranche implementation.
  5. AUSTRAC will remain the Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulator, with broad powers that include, for example, the authority to determine which federal, state or territory agencies will have access to the personal information it collects.6 The Office notes that the overview document provided as part of the Exposure Bill package explains that AUSTRAC's role includes to disclose personal information to "law enforcement, revenue, national security, social justice and other regulatory agencies". The inclusion of "social justice" and the broad categorisation of "regulatory agencies" seems to envisage a role for AML/CTF regulation that is wider than the objects of the Exposure Bill. These objects, as described in section 3, are concerned with fulfilling Australia's international obligations to combat money laundering and terrorism financing.7 Accordingly, the classes of agencies to which AUSTRAC is permitted to disclose personal information should be relevant to these objects.

Impact of Exposure Bill on the handling of personal information

  1. If enacted in its current form and with both proposed tranches implemented, the Exposure Bill will impose personal information collection and disclosure obligations on far more entities than is currently the case under the FTR Act. If an organisation, regardless of type, provides a prescribed form of 'designated service' then it would be subject to the provisions introduced by the Exposure Bill. Section 6 provides two tables containing 64 'designated services' which, if performed, will bring the entity within the ambit of the proposed legislation. This differs from the FTR Act which regulates cash dealers classified primarily according to type of institution, rather than the type of transaction in question. This change in focus will increase significantly the number of entities that are subject to AML regulation.
  2. Obligations that may affect the handling of personal information by 'reporting entities' include:
    • the collection of personal information under the identification procedures in Part 2 (Identification procedures etc);
    • disclosing to AUSTRAC reports of certain matters in Parts 3 (Reporting obligations of reporting entities) and 4 (Reports about cross-border movements of physical currency and bearer negotiable instruments);
    • ongoing monitoring of the provision of designated services (including to individuals) as part of ongoing customer due diligence obligations under Part 7 (Anti-money laundering and counter-terrorism financing programs); and
    • retention obligations of Parts 2 and 10 (Record keeping requirements).
  3. For example, in section 39(1)(d) of the Exposure Bill, a reporting entity must disclose to AUSTRAC reports of personal information concerning transactions if it forms a suspicion, on 'reasonable grounds', that the information may be relevant to:
    1. (i) an investigation concerning taxation laws;
    2. (ii) an offence against a law of the Commonwealth or of a Territory; or
    3. (iii) may be of assistance to the enforcement of the Proceeds of Crime Act 2002.
  4. The Office notes that some of these prescribed reasonable grounds for disclosure are for purposes other than AML/CTF. It is useful to take into account the different policy drivers that may underpin such provisions, for example, the protection of public revenue, when considering the Exposure Bill, as the effects of such provisions are likely to be distinct from addressing AML/CTF risks.
  5. If a reporting entity has reasonable grounds to suspect that it has information that is relevant to any number of matters listed in s.39, it is required to report this information regarding the suspicious matter to AUSTRAC. This differs from the FTR Act which requires information to be reported on the more narrow 'suspicious transactions', not 'suspicious matters'. The Draft Bill's suspicious matter reporting requirements are discussed in more detail below at paragraphs 68-89.
  6. The overall effect of these various provisions would be to make it mandatory for reporting entities to collect personal information about individuals, retain that personal information for extended periods, and to disclose that information to AUSTRAC, which may, in turn, make it available to a range of government agencies. Given the very large number of reports to AUSTRAC, it seems likely that most affected individuals and the transactions they undertake will not be related to money laundering or terrorist financing activities.
  7. The Office notes that view expressed by bodies such as the Australian Privacy Foundation and the NSW Council for Civil Liberties8 that, for reporting entities, this collection of personal information could be equated to financial surveillance undertaken on behalf of the Government. Significantly, this collection may not be subject to privacy protections that would be afforded if collected directly by the Government.
  8. For individuals, this reduces their degree of control over their personal information, as they have no choice (and in many instances, perhaps no awareness) as to how their personal information is handled.
  9. Further, as a wider range of reporting entities will be collecting a greater volume of personal information and providing that to AUSTRAC, this may result in the establishment of a centralised database containing a significant percentage of Australians' personal information and the financial transactions they enter in to. From this data, it could be possible to create a rich data trail of individuals' interactions in the economy.

Application of the Privacy Act to AML/CTF regulation

  1. While AUSTRAC and other Australian Government agencies are covered by the IPPs, the ten National Privacy Principles (NPPs) in the Privacy Act regulate the information-handling practices of private sector 'organisations'. These organisations include businesses with a turnover greater than $3 million, as well as all businesses that provide a health service or which trade in personal information. Generally, a business with a turnover of $3 million or less (that is, a small business) would not fall within the jurisdiction of the NPPs unless it provided a health service or traded in personal information.9
  2. The Office notes that those reporting entities which fall within the definition of "organisation" for the purposes of the Privacy Act will have obligations under the NPPs as to how they handle personal information. It remains unclear though, whether the coverage and content of the NPPs is adequate for the purposes of the regime envisaged under the Exposure Bill. In some cases, relevant reporting entities may not be covered. It may be appropriate to consider whether all reporting entities should have privacy regulations imposed given the mandatory nature of the collection and the sensitivity of the personal information.

Use and disclosure of personal information

  1. NPP 2 gives effect to the underlying privacy principle that personal information should, in general, only be used or disclosed for the purpose for which it was initially collected. That NPP recognises that, in certain circumstances, it may be in the public interest for personal information to be used or disclosed for other purposes, and provides a range of exceptions to the general principle. These exceptions include where the use or disclosure is:
    • for a related secondary purpose within the individual's reasonable expectations (NPP 2.1(a));
    • with the individual's consent (NPP 2.1(b));
    • for the purpose of direct marketing (subject to conditions being met) (NPP 2.1(c));
    • required or authorised by law (NPP 2.1(g)); or
    • for purposes related to law enforcement (NPPs 2.1(f) and 2.1(h)).
  2. Accordingly, organisations that would be required to collect personal information pursuant to the Exposure Bill would then be regulated as to what other purposes they may use that information. However, as discussed above, the Privacy Act would not regulate the handling of this personal information by reporting entities that fall outside of its jurisdiction.

Notice and openness

  1. NPPs 1.3 and 1.5 impose obligations on private sector organisations, when collecting personal information, to take reasonable steps to ensure that the individual is aware of a number of matters. These matters include the types of bodies to which the organisation usually discloses information of that kind, as well as any law that requires them to do so.
  2. NPPs 5.1 and 5.2 require organisations to be open with individuals about the handling of their personal information, including by making available a document providing policies on such handling (including to whom it may disclose).
  3. Compliance with these provisions will go some way to ensuring that individuals have an appropriate degree of understanding of how their personal information may be handled. However, those reporting entities that are not 'organisations' and hence not covered by the Privacy Act, will be under no obligation to comply with these principles.

Data quality and security, access and correction, and transborder flows

  1. Similarly, the obligations imposed by the Privacy Act concerning data quality (NPP 3), data security (NPP 4), access and correction (NPP 6) and transborder data flows (NPP 9) will afford privacy protections only to the extent that they are applicable to the organisations. Many newly prescribed reporting entities will not be subject to this regulation.

Anonymity

  1. NPP 8 establishes that individuals should have a choice as to whether they can remain anonymous when entering into transactions with an organisation, "wherever it is lawful and practicable". In contrast, the underlying policy thrust of the Exposure Bill is that individuals must identify themselves when participating in specific financial transactions. The range of transactions is expanded by the Exposure Bill.
  2. The impact on the Australian community may be that personal information concerning many increasingly routine financial transactions, which are currently conducted anonymously, will be subject to mandatory collection by organisations and fall under the scrutiny of one or more government agencies. The extent to which individuals will be able to conduct their affairs on the basis of comparative anonymity may be significantly reduced.
  3. Whether such an outcome is warranted can only be determined by careful consideration of competing public interests.

Ensuring an appropriate response to AML/CTF risks

  1. The Office accepts the public interest in ensuring that Australia's financial regulatory systems and procedures incorporate appropriate responses to the risks of money laundering and terrorist financing. When developing such responses, it is essential that any measures which may adversely affect the privacy of Australians are necessary and proportionate to both the nature and degree of risk that exists.
  2. The Office also notes that the effective implementation of legislative measures for AML/CTF purposes will depend in large part on the willing cooperation of the business community in providing critical financial data to law enforcement agencies.
  3. This, in turn, will be underpinned by the understanding and confidence on the part of the community as to what happens to their financial data. It should be recognised that survey research conducted for the Office has found that the community is reluctant to provide personal financial information to others.10 A lack of confidence in how personal information is handled may have unintended and undesirable effects on the economy. For example, the Office's community attitude research has shown that a significant portion of the community are likely to not deal with organisations if they feel their personal information will not be handled appropriately.11
  4. In recognition of the importance of ensuring that any measures taken are necessary and proportionate, the Exposure Bill would benefit from a rigorous analysis directed at assessing whether its provisions constitutes an appropriate way of meeting the underlying policy objectives. In very general terms, this analysis could usefully be directed at meeting the following questions:
    • Is the scope of the personal information handling proposed in the Exposure Bill reasonably connected to countering money laundering and terrorist financing?
    • Are the means limiting the right to privacy no more than is necessary to achieve the objective?
    • Can measures be adopted that reduce the risks posed to privacy or afford specific additional privacy protections to the acts and practices in question?

Privacy Impact Assessment

  1. A potentially useful mechanism for examining the appropriateness of the Exposure Bill would be to conduct a formal Privacy Impact Assessment (PIA). The success of the Government's AML measures will depend in part on it complying with legislative privacy requirements and how well it meets broader community expectations about privacy. Failure to appropriately address privacy issues can have an impact on the trust of the community and may pose risks to the success of the project.
  2. The over-arching benefit of a PIA is that it will identify and analyse privacy impacts during a project's design phase, which in turn assists agencies to determine the appropriate management of any negative privacy impacts.
  3. The example of the Canadian Longitudinal Labour Force File Databank project illustrates the risks of not comprehensively considering privacy issues before implementation.12 In that case, community privacy expectations were not addressed during development of an information handling system and led to the dismantling of a national database on 34 million Canadians (at a cost of many millions of dollars) and a greater appreciation of the need for "…transparency and accountability, and the application of privacy-protection rules for the use of such information".13
  4. Ideally, a PIA should be conducted by an independent expert specialising in privacy issues and the conduct of PIAs. In addition, to aid transparency in the process, the Office sees merit in the PIA being a public document.

Privacy regulation for the AML/CTF scheme

  1. Effective privacy protections should play an essential role in the AML/CTF scheme, particularly to assist in retaining community confidence in the financial sector in respect of its ability to appropriately protect the personal information of its customers.
  2. The Office notes that, given the cross-jurisdictional nature of Australian privacy regulation, a number of agencies, organisations and individuals, acting in accordance with the provisions of the Exposure Bill in its present form, will have differing privacy obligations, depending on, for example, whether they are in the public or private sectors.
  3. The Office also notes the recognition by FATF of the importance of ensuring appropriate privacy protections: "Countries should establish controls and safeguards to ensure that information exchanged by competent authorities is used only in an authorised manner, consistent with their obligations concerning privacy and data protection."14

Privacy regulation for the handling AML/CTF information by State and Territory agencies

  1. Currently, not all state and territory Parliaments have enacted privacy legislation covering their own agencies to afford individuals with protection against the mishandling of personal information. Of those jurisdictions that have enacted legislation, there is not uniformity in both the protections and the remedies available.
  2. The Exposure Bill provides for AUSTRAC to disclose personal information it has collected for the purpose of the AML/CTF to prescribed state and territory government agencies. This broadly reflects the current arrangements provided under the FTR Act. However, in the Office's view, the expansion in the scope of the regime envisaged by the Exposure Bill makes it necessary to consider whether the arrangements that currently apply for privacy are adequate.
  3. The Office recognises the requirement imposed by section 99(2) of the Exposure Bill, obliging AUSTRAC to require state and territory bodies to which it discloses information to comply with the Information Privacy Principles. It is not clear to the Office how state and territory government bodies could be legally bound to comply with the IPPs, or what remedies would be available to individuals if their privacy is interfered with. An individual would not currently be able to seek redress against a state government agency under the Privacy Act, as the jurisdiction of this legislation for the purposes of the IPPs does not extend to State and Territory government agencies.15
  4. The Office notes that one option may be to introduce a provision into the Privacy Act similar to sections 17 and 18 concerning the handling of tax file numbers (TFNs). In précis, s.17 requires the Privacy Commissioner to make statutory guidelines for the handling of TFNs, while s.18 makes it an offence for a 'file number recipient' to breach these guidelines. In turn, s.13 prescribes that a breach of s.17 is an "interference with privacy", in regard to which an individual may, under s.36(1) complain to the Privacy Commissioner. Significantly, 'tax file number recipients', about which individuals may complain, may include state and territory bodies that are not covered by the IPPs.16
  5. Accordingly, it can be seen that the arrangements for TFN regulation provide uniform rules to any class of recipient, as well as the opportunity for an individual to seek redress to the Privacy Commissioner.
  6. An alternative model is provided in the arrangements for privacy regulation of contract service providers (CSPs) to Commonwealth agencies. While the nature of the interactions are different to those that occur between AUSTRAC and state and territory bodies, the interplay between s.95B and s.13A(c) establishes a mechanism by which:
    • contract service providers must comply with the IPPs and
    • individuals are able to complain to the Privacy Commissioner under the IPPs for a breach allegedly committed by a CSP.
  7. The Office is aware there may be constitutional law issues which need careful consideration in the context of the Commonwealth regulating State and Territory agencies.

Privacy regulation for the handling AML/CTF information by Reporting Entities

  1. The Office submits that to address the problem of inconsistent privacy regulation over current and envisaged reporting entities, the Exposure Bill should provide for the introduction of privacy provisions for all reporting entities, regardless of type or size. Such provisions should be consistent with those provided by the Privacy Act.
  2. In recognition of the pervasiveness of the scheme, these protections could, in some places, afford a higher standard of protection than those offered by the Privacy Act, including by limiting the number of exceptions to a use or disclosure provision. Such an approach is in place for the handling of credit reporting information, Medicare and PBS claims information, and Tax File Numbers.17
  3. The Office also notes that an approach introducing uniform privacy obligations on all reporting entities would also seem consistent with Australian Government's Policy Principles for Anti-money laundering reform document, which nominates "consistent regulation" as a key principle.18 A range of possible options for achieving this regulation is discussed below.

Options for privacy regulation

  1. There would appear to be a number of options for establishing an appropriate privacy framework in regard to the AML/CTF scheme, including:
    1. Privacy protections could be adopted in a schedule to the Exposure Bill. To ensure that the regulation was enforceable, a provision, similar to that in section 135AB of the National Health Act 1953, could prescribe that a breach of the privacy provisions of the Exposure Bill constitute an interference with the privacy of an individual for the purposes of section 13 of the Privacy Act.
    2. The Exposure Bill could introduce amendments to the Privacy Act so that AML/CTF privacy regulation was located in the Privacy Act (one form of this option is as envisaged above at paragraphs 44-46).
    3. Privacy provisions, applying to reporting entities, could be introduced by way of an enforceable AML/CTF Rule under section 191 of the Exposure Bill.
    4. Regulations could be made under section 6E of the Privacy Act to the effect that small business operators (or their prescribed acts or practices) for the purposes of the AML/CTF legislation were treated as if they were an "organisation" for the purposes of Privacy Act.
  2. The Offices suggests that a key task for a Privacy Impact Assessment (as recommended above at paragraphs 35-37), would be to fully explore the merits of these, and any other, proposals for privacy regulation.

Access to AUSTRAC-held data

  1. The practice of collecting personal information for one purpose, for example, law enforcement, while allowing others to have access to that personal information for other, possibly unrelated, purposes sits uncomfortably with commonly accepted privacy principles. This is especially the case where adequate steps are not taken to ensure that the individual is reasonably aware of the further uses of their personal information, or where the individual has little or no choice in providing such information.
  2. Under the FTR Act, AUSTRAC may grant access to individual's personal information to "nominated agencies"19. The policy settings underpinning the existing personal information sharing arrangements involving AUSTRAC and other agencies are intended to limit access to AUSTRAC data to those agencies that require it to address the objects of the legislation, notably to prevent terrorism financing and money laundering.
  3. For example, the Office notes the 2003 amendments to the FTR Act permitting Centrelink (in the form of the "Commonwealth Service Delivery Agency") and the Child Support Agency (CSA) to gain access to data held by AUSTRAC.20 This amendment has permitted agencies to have access to AUSTRAC-held data for purposes other than anti-money laundering and counter-terrorism financing.
  4. The Office contrasts these arrangements with the view offered by of the Senate Legal and Constitutional Committee in its 1993 Inquiry into financial transactions. In noting that 'FTR Information is particularly sensitive and intrusive', the Committee went on to conclude that: "AUSTRAC was established to respond to major crime, not lesser breaches of the law such as more minor breaches of the Social Security Act…AUSTRAC was established to enable law enforcement agencies to strike at major crime and that is what it should continue to do."21
  5. Division 4 of Part 11 of the Exposure Bill sets out the provisions relating to access to AUSTRAC data. The Office understands that it is intended that a range of Australian, State and Territory agencies, such as Centrelink, Child Support Agency and respective state and territory revenue collection bodies, will retain their existing ability to access personal financial information held by AUSTRAC under the provisions of the Exposure Bill. Moreover, it will be for AUSTRAC to decide which other prescribed agencies, subject to Division 4, will be permitted to have access to personal information it retains, and for what purposes.
  6. These other agencies include those defined as 'designated agencies' in section 6 of the Exposure Bill. The list of designated agencies include not only law enforcement, welfare agencies and State and Territory revenue authorities, they also include provision for any authority or agency of the Commonwealth22 and any authority or agency of a State or Territory23 "where the authority or agency is specified in the regulations".
  7. The Office submits that the replacement of the FTR Act with new legislation with its greater scope and impact does not, of itself, necessarily justify the continuance of the present data-sharing arrangements so as to permit access to the welfare and assistance agencies. In the event that the welfare and assistance agencies are to be given access to AUSTRAC data, then a statement of the legislative objects of the Exposure Bill should reflect an intention to allow such agencies to scrutinise the AUSTRAC data for their purposes. Accordingly, community consultation should be conducted expressly on this policy setting.
  8. A number of factors support the need for careful review of access provisions to personal information held by AUSTRAC under the Exposure Bill, including:
    • the likely increased volume and richness of personal data that will be available for collection by AUSTRAC and, hence, accessible by other agencies for purposes unrelated to anti-money laundering and counter-terrorism activities;
    • the extent to which the community may be aware that personal information provided by individuals in the course of a wide range of financial and commercial transactions may be scrutinised by a number of government agencies; and
    • the extent to which the exercise of the discretion reposed in AUSTRAC to make its data accessible to other agencies is a transparent and accountable process. In this context, the process to ensure transparency and accountability should be proportionate to the breadth of the scheme and the amount of data the designated agencies will have access to.

An alternative access regime

  1. Section 99(1) of the Exposure Bill currently permits AUSTRAC to authorise, in writing,24 other agencies to access AUSTRAC-held data for purposes of "performing that agency's functions or exercising its powers". The Office notes that agencies' functions and powers can often be defined in legislation in quite broad and general terms. It may be more appropriate for such purposes to be defined in greater specificity.
  2. This section could be amended to a more privacy sensitive form by narrowing these purposes to those which are consistent with and relevant to the underlying policy intent of the AML/CTF regulatory scheme.
  3. This section could also be usefully amended by requiring transparency (including through mandatory consultation) and oversight over how the authority is exercised (including by clarifying that the written authority made by AUSTRAC is subject to Parliamentary scrutiny and disallowance).
  4. In addition, s.99 could be usefully amended to reflect any additional measures regarding the handling of AML/CTF personal information by state and territory agencies, as envisaged in paragraphs 42-46.

Retention periods for "Part 10-Record keeping requirements"

  1. The Exposure Bill invites comment on the appropriate minimum retention periods for information collected by reporting entities under Part 10. While any period may be arbitrary, it seems useful for the period to be determined with reference to the policy intent of NPP 4.2. This principle requires that personal information be destroyed once it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2.
  2. Such an approach highlights that a specific and clearly justified purpose must be articulated as to why the personal information is being retained.

Reporting of suspicious matters

  1. The Office notes that the Exposure Bill requires that a reporting entity must make a suspicious matter report where it has reasonable grounds to suspect that information it holds may be relevant to the investigation of an offence against a law of the Commonwealth,25 or a law of a State, Territory or foreign jurisdiction.26 This is in addition to suspicion that the information may be relevant to the enforcement of the Proceeds of Crime Act 200227, evasion of taxation laws28 or to a financing of a terrorism offence29.
  2. This requirement reflects an extension of the existing arrangements under the FTR Act, whereby a "cash dealer" is required to report a "suspicious transaction".
  3. This provision appears to establish a suspicious matters reporting regime that goes well beyond the policy intent of the regulation. In light of the extension of the AML/CTF regime to new entities and transactions, consideration should be given to narrowing this provision to one that sits more comfortably with the policy intention of addressing major crime and supporting AML/CTF regulation.30

Broadened Scope

  1. The Office understands that the scope of the information which is to be reported to AUSTRAC by reporting entities if deemed to be suspicious, has been broadened in at least two ways.
  2. Firstly, the FTR Act focuses on the reporting of financial transactions in sections 16 and 17. In the Draft Bill, the scope has been broadened to require the reporting of suspicious matters.31
  3. Secondly, s.16 of the FTR Act requires that for a reporting entity to disclose a suspicious transaction report to AUSTRAC, the reporting entity ('cash dealer' under the FTRA) must be 'party to a transaction'. By comparison, s.39(1)(c) of the Exposure Bill provides that a report can be made simply if "a person inquires of a reporting entity whether the reporting entity would be willing or prepared to provide a designated service to the person".
  4. Given that s.39(4) makes it a criminal offence not to report a suspicious matter if a reasonable suspicion had been established under s.39(1), it seems plausible that a fear of criminal sanction will result in reporting entities being more likely to over-report, than under-report. The AML/CTF Program Rules require that a reporting entity ensure it has appropriate systems and controls in place to identify cases where a suspicious matter report ought to be lodged in accordance with clause 39 of the Bill.32 Given the consequences of s.39(4) caution may dictate reporting entities to develop a reporting system which reports any matter having a certain characteristic, such as those outlined in the Suspect Matter Reporting Rules. This may result in an entity over-reporting.
  5. The increased volume of suspicious matter reports which will flow as a result of these changes has privacy implications. The Office submits that there needs to be effective privacy safeguards in place to balance the privacy invasive reporting of suspicious matters with the privacy rights of individuals.

Access and correction for suspicious matters information

  1. The Privacy Act establishes an individual's general right to access and, where necessary, correct personal information held about them by agencies and organisations.33 The right to have personal information corrected applies to personal information that is not accurate, complete or up-to-date.34
  2. Reflecting the current requirement of the FTR Act, section 95 of the Exposure Bill makes it a criminal offence for a reporting entity to "tip-off" an individual that a suspicion has been formed about them under s.39(1) or that a report has been made to AUSTRAC under this same section. This, in effect, extinguishes an individual's right to access their information and in turn, opportunity to correct that information.
  3. Similarly, information concerning "suspicious matters" are expressly exempt from the Freedom of Information Act 1982 (FOI Act). Schedule 2 specifies that information disclosed to AUSTRAC under s.16 of the FTR Act is exempt from the FOI Act.
  4. The combined effect of these provisions is that a database of suspicious matters will be created, based on the subjective judgment of individuals employed by reporting entities. An individual will be prohibited from accessing any personal information about them, and, it follows, will not be able to have that information corrected where it is inaccurate, misleading or not up-to-date.
  5. The Office recognises that while individuals have a general right to access and correct personal information about them, the nature of suspicious matter reporting may reasonably preclude individuals from being advised that such information has been collected, particularly in cases where an investigation may be prejudiced or otherwise compromised. A balance is required between what is reasonably necessary to promote the public interest inherent to AML/CTF regulation, and the public interest in individuals having their personal information treated confidentially.
  6. The Office assumes that not all suspicious matter reports will be actioned by AUSTRAC, or at some point they may no longer be necessary for the purpose AUSTRAC collected it, that is, to investigate anti-money laundering and counter-terrorism financing. In such cases, the public interest in denying individuals access to such information would seem unconvincing.
  7. Accordingly, the Office submits that there should be a qualified access provision in the Exposure Bill that balances the need to protect the integrity of investigations with the privacy expectations of individuals. Such a provision could allow that if no action has been taken in regard to a suspicious matter report then the individual would be able to access and, where necessary, correct that information. A suitable period could be 6 months from when the report was made.
  8. The Office has suggested below (paragraph 89) that suspicious matter information need not be retained by reporting entities, as it is subject to mandatory reporting to AUSTRAC. In the event that reporting entities are required to retain suspicious matter information, rights to access and correction should also be available as proposed above.

Use, disclosure of suspicious matters information

  1. Section 99(1) of the Exposure Bill permits AUSTRAC to disclose information to a specified designated agency for the purposes of "…performing the agency's functions and exercising the agency's powers". As was noted above in paragraph 62 , the functions and powers of agencies can be defined broadly, and it can therefore be seen that this provision creates a wide discretion for disclosure. The Office submits that the Exposure Bill should narrow this discretion by prescribing that suspect matter information should only be used and disclosed for the primary purpose of collection, that is, for anti-terrorism and counter-terrorism financing.
  2. Similarly, use and disclosure of this information by reporting entities should also be prescribed narrowly in the legislation. This is particularly important if some reporting entities remain beyond the coverage of the NPPs. By way of example, s.18L of the Privacy Act provides that credit providers may only use personal information contained in credit reports for prescribed purposes, and creates an offence punishable by a fine of no more than $150,000 for contravening the permitted uses.35

Retention of suspicious matters information

  1. Further, the Office suggests that a limitation period be placed on the retention of suspicious matters information by AUSTRAC.
  2. The Office recognises that for law enforcement purposes, disclosing to the individual that they are suspected of suspicious matters may be detrimental to investigations and personal information may need to be retained for extended periods until investigations or prosecutions are resolved. However, as a general rule, if the information is no longer relevant for the purpose it was collected then it should be destroyed.
  3. Accordingly, where no action has been taken on suspicious matter information, AUSTRAC should delete the information after a fixed period, such as 2 years.
  4. As suspicious matters information is subject to mandatory reporting to AUSTRAC, there would not seem any reason for it to also be retained by reporting entities. Accordingly, in line with NPP 4.2,36 reporting entities should take reasonable steps to delete suspicious matter information once it has been reported to AUSTRAC.

Threshold amount for "significant transactions" reporting

  1. As noted earlier, currently in excess of 2 million reports to AUSTRAC are generated due to a transaction being in excess of the threshold figure for "significant transaction". This represents a significant volume of personal information.
  2. The Office notes that the number of significant cash transaction reports has increased approximately 200% since 1991. For this category of reporting, the level of growth may suggest that consideration needs to be given as to whether the threshold figure of $10,000, which has remained constant since the scheme was introduced, remains the "significant amount" anticipated when the FTR Act was drafted.
  3. If this figure remains at this current prescribed level, then, as a consequence of price inflation, the reporting scheme will increasingly capture personal information regarding transactions that may not have been anticipated when the legislation was first drafted.
  4. Further, section 5 of the Exposure Bill defines 'threshold transaction' and introduces the authority for AUSTRAC to prescribe, by regulation, threshold transactions for specified transactions less than $10,000, including non-cash transactions. The Office understands that such regulations are those provided for by section 205 of the Exposure Bill and prescribed by the Governor-General.
  5. The transaction threshold amount was the subject of evidence at the Senate Legal and Constitutional Committee Inquiry into the Exposure Bill. In response to a Senator's enquiry of AUSTRAC about a possible review of the threshold. AUSTRAC stated: 37"AUSTRAC's view is that $10,000 remains the appropriate level for this threshold. While the number of transactions at this level has increased, this amount remains significant. The Bill does provide for the threshold to be raised, as well as lowered, by regulation, not by AUSTRAC. The amount will be kept under continuing review and if it appears that it should be raised, recommendations will be made to the Minister for Justice and Customs about the need for regulations."
  6. The Office recommends that, in the interests of containing the collection of personal information to what may be reasonably regarded as necessary to meet the objects of the Exposure Bill, the threshold amount be reviewed. A review might look to the measures which ensure that there is both proportionality and transparency in future adjustments to the amount.

Rules and Guidelines

  1. It is the Office's understanding that there are to be five sets of rules to accompany the Draft Bill. At the time of writing this submission, the Office has only had opportunity to view two sets of rules:
    • Suspicious Matter Reporting and
    • Anti-Money Laundering and Counter-Terrorism Financing Programs.
  2. The Attorney-General's Department and AUSTRAC advised the Senate Committee that the set of revised Customer Identification Rules was going before industry two days following that hearing.38 As yet, this Office has not seen these rules. The Office submits that consultation has been limited on the operation of the Rules and has therefore not had opportunity to comment on the AML package as a whole.
  3. As such, given three sets of rules have been unavailable during the consultation period, the OPC suggests that the Bill be held over until the entire AML/CTF package can be adequately examined by all relevant stakeholders. Alternatively, the enabling provisions in the Bill should require mandatory consultation with a broad range of stakeholders for these new rules before they are included as part of the legislative package. Mandatory consultation should also be a requirement of any future rules or amendments.
  4. Section 191(1) states that AML/CTF Rules are legislative instruments for the purposes of the Legislative Instruments Act 2003 (LI Act). While the LI Act requires consultation on new legislative instruments, this is determined by what the rule-maker considers to be appropriate.39 Also, a failure to consult does not affect the validity or enforceability of a legislative instrument.40 Therefore, the Office suggests that section 191 of the Exposure Bill be amended to require mandatory consultation, including with community groups examining privacy issues.
  5. The following are specific comments on the two sets of Rules currently available.

Suspect Matter Reporting Rules

  1. In these Rules, the Office notes that there is a large amount of information that is to be included in a Suspect Matter Report to AUSTRAC, including "any other detail that the reporting entity considers may be relevant to the matter the subject of the suspicion".41 The Office submits that such broad grounds for reporting highlight the need for individuals to be afforded some access and correction rights, as discussed above in paragraphs 76-83.

AML/CTF Program Rules

  1. The AML/CTF Program Rules require reporting entities to implement systems which will include, amongst other things, monitoring transactions, maintaining customer due diligence and assigning risk classifications to customers.
  2. It appears that individuals with a higher risk classification will be subject to greater monitoring of their transactions and enhanced customer due diligence, which will likely include the collection of more personal information. Given the potentially privacy intrusive nature of these additional obligations, notice should be provided to individuals as to what will trigger these processes. This could include advising customers which products are high risk services, which characteristics may trigger a high risk classification, and also to be advised of their risk classification if requested.
  3. The Office also suggests that the Rules for AML/CTF Programs include requirements for reporting entities to take reasonable steps to ensure that employees and agents are aware of obligations concerning the appropriate handling of personal information collected under the AML/CTF legislation. This could, for example, be expressly provided for in rule 26, which requires reporting entities to give appropriate training to employees on various matters relevant to the implementation of the Exposure Bill.

Audit and information gathering powers

  1. Parts 13, 14 and Division 6 of Part 15 outline authorised officers'42 audit, information gathering and search and questioning powers. The Office generally endorses the need for appropriate justification and proportionality in the granting of search, entry and questioning powers that entail the collection of personal information.
  2. Generally speaking an agency's collection of personal information must comply with the Information Privacy Principles (IPPs), which are underpinned by the expectation that the handling of personal information will be open and transparent and in a way that the individual concerned would reasonably expect. The IPPs expressly require that, amongst other things, the collection of personal information should be necessary for a lawful purpose or for a purpose directly related to that purpose.43 In addition, the collector must take reasonable steps to ensure collection does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.44 Where personal information is collected directly from the individual, the individual should be provided notice of the collection, including what the information may be used for.45
  3. Section 135(1) states that an authorised officer may take possession of a document under Part 14, and retain it for as long as is reasonably necessary. Parts 13 and 15 do not address the question of how long personal information, once collected, may be retained. An approach, which is consistent with best privacy practice, would be to destroy the information once it is no longer necessary for the purpose for which it was collected.
  4. Division 6 of Part 15 gives a police officer or a customs officer the power to question, search and arrest in relation to cross-border movements of physical currency and bearer negotiable instruments. While physical searches such as those permitted under this Part may not ordinarily be regulated by the Privacy Act, records created from such activity may be. Given that personal information may therefore be collected through these new methods it is important to balance the privacy protections with the potential collection and use of the information.

Endnotes

  1. http://www.aph.gov.au/hansard/senate/commttee/S9204.pdf
  2. See http://www.austrac.gov.au/ftr_act/index.html
  3. AUSTRAC Annual Report 2004-05, pp 17-18
  4. See http://www.fatf-gafi.org/pages/0,2987,en_32250379_32235720_1_1_1_1_1,00.html
  5. Namely, transactions involving amounts greater than $10,000 in either cash or e-currency (or less than $10,000 if provided for by regulation) and involving the provision of a designated service.
  6. Division 4 of Part 11 of the Exposure Bill.
  7. See, also, media release for the Minster for Justice and Customs Sen. The Hon Chris Ellison 16 December 2005, where the Exposure Bill is described as: "...an important part of Australia's response to emerging money laundering and terrorist financing risks". Available at http://www.ag.gov.au/....
  8. See, submissions made to the Senate Inquiry, available at http://www.aph.gov.au/senate/committee/legcon_ctte/anti-money_laundering/submissions/sublist.htm.
  9. 'Small business' and 'small business operator' are defined in section 6D of the Privacy Act. More information on the coverage of the NPPs is available from http://www.privacy.gov.au/materials/types/infosheets/view/6544.
  10. See, community attitude research conducted for the Office in 2001 and 2004 (respectively at http://www.privacy.gov.au/materials/types/research/view/6614 and http://www.privacy.gov.au/publications/rcommunity/index.html).
  11. See, http://www.privacy.gov.au/publications/rcommunity/chap6.html.
  12. Human Resources Development Canada (2000) Media Release: HRDC Dismantles Longitudinal Labour Force File Databank 29 May [available at http://www.hrsdc.gc.ca/en/cs/comm/news/2000/000529_e.shtml ]; Wired News Report (2000) 'Canada Scraps Citizen Database' 30 May [available at http://wired.com/news/politics/0,1283,36649,00.html].
  13. Bennet C and Raab The Governance of Privacy: Policy instruments in global perspective (2003) Ashgate, London: p.115.
  14. See Interpretative Note to the FATF recommendations at http://www.fatf-gafi.org/document/28/0,2340,en_32250379_32236930_33658140_1_1_1_1,00.html
  15. ACT Government agencies are regulated by the Privacy Act, except for the handling of health information.
  16. For example, universities established under state legislation.
  17. See, respectively, Part IIIA of the Privacy Act, section 135AA of the National Health Act 1953 and Division 4 of the Privacy Act.
  18. http://www.ag.gov.au/...
  19. Under s.27(1) of the FTR Act nominated agencies include law enforcement agencies, Australian Customs Service, Centrelink, CSA and State and Territory revenue authorities, as well as any other Commonwealth agency prescribed by regulation.
  20. Family and Community Services and Veterans' Affairs Legislation Amendment (2003 Budget and Other Measures) Act 2003 No. 122, 2003 - Schedule 2, Section 7 http://www.austlii.edu.au/au/legis/cth/num_act/facsavala2003baoma2003n1222003920/sch2.html
  21. Checking the Cash: A Report on the Effectiveness of the Financial Transaction Reports Act 1988, Senate Standing Committee on Legal and Constitutional Affairs, November 1993, section 8.15. Available at http://www.aph.gov.au/Senate/committee/legcon_ctte/completed_inquiries/pre1996/ftr_cash/index.htm
  22. Section 6(k), Exposure Bill.
  23. Section 6(t), Exposure Bill.
  24. The status of this authority is unclear, as it is not apparent what form of instrument the written authorisation is intended to be.
  25. See s.39(1)(d)(ii), Exposure Bill.
  26. See, s.40, Exposure Bill. It should be noted that laws of a foreign jurisdiction must correspond to a Commonwealth, State or Territory law.
  27. See s.39(1)(d)(iii), Exposure Bill
  28. See s.39(1)(d)(i), Exposure Bill
  29. See s.39(1)(e), Exposure Bill
  30. This policy intent is described, for example, in a media release from the Minister for Justice and Customs, Sen. The Hon Chris Ellison, 16 Decemebr 2005, available at http://www.ag.gov.au/....
  31. S.39(1), Exposure Bill.
  32. Rule 24, Anti-Money Laundering and Counter-Terrorism Financing Programs Rules
  33. See, generally, IPPs, 6,7 and 8 and NPP 6.
  34. NPP 6.5 says: If an organisation holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, the organisation must take reasonable steps to correct the information so that it is accurate, complete and up-to-date.
  35. Similarly, section 18N of the Privacy Act limits the purposes for which credit providers may disclose personal information contained in credit reports.
  36. NPP 4.2 says: An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.
  37. Senate Legal and Constitutional Committee, Exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005, Hansard, 14 March 2006, at 95
  38. Senate Legal and Constitutional Committee, Exposure draft of the Anti-Money Laundering and Counter-Terrorism Financing Bill 2005, Hansard, 14 March 2006, at 97
  39. Legislative Instruments Act 2003(LIA), section 17
  40. LIA, section 19
  41. Draft AML/CTF Rules for Discussion Suspicious Matter Reporting, Rule 2.19
  42. Authorised officer is defined in section 115 of the Exposure Bill,
  43. IPP 1.1.
  44. IPP 1.3.
  45. IPP 2.