Submission to the Senate Legal and Constitutional Affairs Committee

November 2006

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) ('the Privacy Act'), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

The Office welcomes the opportunity to make this submission to the Senate Legal and Constitutional Committee's Inquiry into the Anti-Money Laundering and Counter-Terrorism Financing Bill 2006 ('the Bill') and the Anti-Money Laundering and Counter-Terrorism Financing (Transitional Provisions and Consequential Amendments) Bill 2006 ('the Consequential Amendments Bill').

The Office previously provided submissions on the first exposure draft to the Legal and Constitutional Legislation Committee inquiry ('the Senate Inquiry') in March 2006, and to the Attorney General's Department ('the Department') in April 2006.1 The Office also provided evidence at the public hearings for the Senate Inquiry. Additionally, the Office made a submission the Department's consultation on the second exposure draft in August 2006.2

While recognising the advantages of measures to address money-laundering and terrorism financing, the Office reiterates that such measures should be proportionate to the serious offences they are aimed at in order to warrant the collection of a significant quantity of personal information including sensitive financial information. The Office notes that the current reform will significantly expand the regulatory regime, and in turn the amount of personal information collected, use and disclosed. This will be further extended when the second tranche of reporting entities is introduced.

In this regard, the Office notes the view offered by of the Senate Legal and Constitutional Committee in its 1993 Inquiry into financial transactions. In noting that "…FTR Information is particularly sensitive and intrusive…", the Committee concluded that:

"AUSTRAC was established to respond to major crime, not lesser breaches of the law such as more minor breaches of the Social Security Act…AUSTRAC was established to enable law enforcement agencies to strike at major crime and that is what it should continue to do.3"

The Office submits that, in absence of a clear and compelling alternate view, this underpinning policy setting remains appropriate.

This submission provides comment on a significant and positive change since the last exposure draft, outlines how the Office will engage with the process if the Bill is passed and reiterates the three main areas of continuing concern.

Privacy regulation for small businesses

The Office welcomes the provision made in section 152 of the Consequential Amendments Bill to apply the Privacy Act to those activities of small business operators that are undertaken for the purpose of compliance with the Bill, or regulations or rules made under the Bill.

This is one of the recommendations that the Office has been making during the course of the consultations and believes that this provision will assist in ensuring that personal information will be appropriately collected and managed by small businesses for the purposes of the Bill.

Office engagement

The Office also welcomes the commitment outlined in the second reading speech accompanying the Bill for the Office to receive additional funding of $1.8 million over 4 years to provide guidance and assistance to small business operators to meet their obligations under the Privacy Act. 4

The Office will use this additional funding in three main areas:

1. to develop guidance material and conduct educational activities with small business operators who will be brought under the Privacy Act for the purposes of the AML/CTF legislation, including the production of multi-lingual guidelines and fact sheets;
2. to provide advice to the Attorney General's Department and other Australian Government agencies in relation to privacy issues relating to the implementation of the scheme, including the second tranche legislation, and to provide advice in response to the mandatory consultation requirement on AUSTRAC (section 212(2)(a)(vi)); and
3. to conduct a regular audit program of Australian Government agencies handling personal information collected as part of the AML/CTF requirements.

Access to AUSTRAC information by 'designated agencies'

The Bill (at section 5) includes 24 subsections to the definition of 'designated agency', and three subsections providing mechanisms to add further designated agencies by regulation. These agencies would be permitted to have direct access to AUSTRAC information, which has been collected for purposes relating to the prevention of money-laundering and terrorism funding. The Office has previously stated that given its importance the deliberative process for adding additional designated agencies should be separate from the current major reform program

The Office notes that the new agencies added to the definition are the Immigration Department, the Inspector General of Intelligence and Security and the Treasury Department. 5

The Office also notes that currently 2,700 individuals are authorised to have online access to AUSTRAC's database, with more than half of these individuals in the Australian Taxation Office.6

The Office has previously argued that, consistent with good privacy practice, individual's personal information collected for the purpose of enforcing serious crime, such as money laundering and terrorism financing, should generally only be used for such purposes. Collecting and sharing personal financial information for matters of lesser gravity than AML/CTF and other similarly major crime may not align with community expectations concerning how this information should be handled. The Office reiterates its previous view that the access to personal information held by AUSTRAC should be narrowly restricted to those agencies and other bodies that require such information as a necessary part of responding to major crimes.

While the Office's preference is for agencies to be nominated in the primary legislation if the process is to be undertaken through regulation the Office suggests that wide consultation be undertaken before an agency is added.

Access to AUSTRAC information by state and territory agencies

An important factor in ensuring appropriate privacy protections to individuals' personal information is the consistency of protections afforded by all organisations and agencies that will handle the information. In that light, the proposed scheme does not appear to have consistent privacy protections for AUSTRAC information once it has been accessed and collected by State and Territory agencies. Not all state and territory Parliaments have enacted privacy legislation covering their own agencies, and of those jurisdictions that have enacted legislation, there is not uniformity in either the protections or the remedies available.

Access to AUSTRAC data by State and Territory agencies, as set out in the Bill, appears to largely reflect current practice. Section 126(3) requires AUSTRAC to obtain an undertaking from state and territory agencies that the information will be dealt with in accordance with the Information Privacy Principles (IPPs). While this is intended to impose obligations on those state and territory agencies accessing personal information held by AUSTRAC, it is not clear whether this process allows individuals to make complaints and to seek remedies if they consider that their information has been dealt with inappropriately by one of those agencies. Given the expansion in the scope of the financial transactions reporting regime indicated by the Bill, the Office considers that it is important to strengthen the privacy protections which apply to the information once it has left the control of AUSTRAC, particularly where the receiving agency may not be subject to any privacy regulation.

In its submission on the first exposure draft, April 2006, the Office offered two suggestions as to how this may be resolved. These suggestions were outlined at paragraphs 45-47 of that submission:7

" 45. The Office notes that one option may be to introduce a provision into the Privacy Act similar to sections 17 and 18 concerning the handling of tax file numbers (TFNs). In précis, s.17 requires the Privacy Commissioner to make statutory guidelines for the handling of TFNs, while s.18 makes it an offence for a 'file number recipient' to breach these guidelines. In turn, s.13 prescribes that a breach of s.17 is an "interference with privacy", in regard to which an individual may, under s.36(1) complain to the Privacy Commissioner. Significantly, 'tax file number recipients', about which individuals may complain, may include state and territory bodies that are not covered by the IPPs. 46. Accordingly, it can be seen that the arrangements for TFN regulation provide uniform rules to any class of recipient, as well as the opportunity for an individual to seek redress to the Privacy Commissioner. 47. An alternative model is provided in the arrangements for privacy regulation of contract service providers (CSPs) to Commonwealth agencies. While the nature of the interactions are different to those that occur between AUSTRAC and state and territory bodies, the interplay between s.95B and s.13A(c) establishes a mechanism by which:

• contract service providers must comply with the IPPs and
• individuals are able to complain to the Privacy Commissioner under the IPPs for a breach allegedly committed by a CSP.

The transaction value threshold

$10,000 threshold

A key mechanism for reducing privacy risks is to limit the collection of personal information to that which is necessary and proportionate to achieve a given objective.

The Office notes that the number of significant cash transaction reports has increased approximately 200% since 1991. In 2005-06, the number of reported significant cash transactions was 2,416,427. 8

The prescribed significant cash transaction threshold has remained constant at $10,000 since the scheme was introduced and, as a consequence of price inflation, the reporting scheme will increasingly capture personal information regarding transactions that may not have been anticipated when the legislation was first drafted. In November 1993, the Senate Legal and Constitutional Committee released its report "Checking the Cash", a review on the operation of the FTR Act. Recommendation 2 addressed the threshold amount. It said:

"The Committee recommends that the reporting threshold for significant cash transaction reports should not be allowed to erode significantly through inflation. To achieve this, the threshold should be adjusted periodically after consultation with cash dealers. The aim of the adjustment should be to maintain the threshold at, or near, the present amount in real terms."

There has been no adjustment to the threshold in the 18 years since the FTR Act was introduced. In the Office's view, the current process of regulatory reform provides an opportunity for this threshold to be revised upward. As organisations will already been undergoing changes to their compliance processes and systems to accommodate the proposed regulatory reform, it seems opportune to amend this threshold amount to a more appropriate figure. Once organisations have completed the process of establishing processes to meet the new regulatory arrangements, they may be highly reluctant to support a change in the threshold amount in the foreseeable future.

It is therefore an appropriate time to reconsider the threshold. Retention of the existing threshold will naturally result in more reports to AUSTRAC as inflation erodes the purchasing power of $10,000.

1 Submission to the Attorney-General's Department for its consultation on the 1st exposure draft, April 2006: http://www.privacy.gov.au/materials/types/download/8608/6460. Submission to the Senate Legal and Constitutional Committee Inquiry in to the 1st exposure draft, March 2006: http://www.privacy.gov.au/materials/types/download/8606/6459. 2 Submission to the Attorney-General's Department for its consultation on the 2nd exposure draft, August 2006: http://www.privacy.gov.au/materials/types/download/8911/6684. 3 Checking the Cash: A Report on the Effectiveness of the Financial Transaction Reports Act 1988, Senate Standing Committee on Legal and Constitutional Affairs, November 1993, section 8.15. Available at http://www.aph.gov.au/Senate/committee/legcon_ctte/completed_inquiries/pre1996/ftr_cash/index.htm4 The Hon Philip Ruddock MP Attorney-General, 1 November 2006 House of Representatives Hansard, p.1 [available at http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=HANSARDR&Criteria=DOC_DATE:2006-11-01%3BSEQ_NUM:6%3B]. 5 It is noted that access by the Treasury Department is limited to Division of Treasury responsible for the administration of the Foreign Takeovers and Acquisitions Act 1975. 6 AUSTRAC Annual Report 2005-06 p. 43. 7 Available at http://www.privacy.gov.au/publications /antimoneysub010506.html#mozTocId80183. 8 AUSTRAC Annual report 2005-06 Fact Sheet [available at http://www.austrac.gov.au/publications /annualreports/200506/pdf/austrac_annual_report_fact_sheet_2005_06.pdf].