Submission to the Attorney-General''s Department

August 2006

Table of Contents

• Table of Contents
• Background
• Access to AUSTRAC information by designated agencies
  • Access to AUSTRAC information by state and territory agencies
• Reporting Entities
  • Privacy regulation for small businesses
• Retention of information
• Retention of information by AUSTRAC
• Transacting anonymously
• The transaction value threshold
  • $10,000 Threshold
• Privacy Impact Assessment

Office of the Privacy Commissioner

The Office of the Privacy Commissioner (the Office) is an independent statutory body responsible for promoting an Australian culture that respects privacy. The Office, established under the Privacy Act 1988 (Cth) (''the Privacy Act''), has responsibilities for the protection of individuals' personal information that is handled by Australian and ACT government agencies, and personal information held by all large private sector organisations, health service providers and some small businesses. The Office also has responsibilities under the Privacy Act in relation to credit worthiness information held by credit reporting agencies and credit providers, and personal tax file numbers used by individuals and organisations.

Background

The Office welcomes the opportunity to provide comment on the second exposure draft of the Anti-Money Laundering and Counter-Terrorism Funding Bill 2006 (''the second Exposure Draft''). The Office provided submissions on the first exposure draft to the Legal and Constitutional Legislation Committee inquiry (''the Senate Inquiry'') in March 2006, and to the Attorney General''s Department (''the Department'') in April 2006. In addition, the Office provided evidence at the public hearings for the Senate Inquiry. 

While recognising the advantages of measures to address money-laundering and terrorism funding, the Office submits that such measures should be proportionate to the serious offences they are aimed at in order to warrant the collection of a significant quantity of personal information including sensitive financial information. The Office also submits that the measures should be accompanied by appropriate protections for the information that is collected, used and disclosed by AUSTRAC, reporting entities and designated agencies. 

Access to AUSTRAC information by designated agencies

The second Exposure Draft (at section 99(1)) includes 21 subsections to the definition of ''designated agency'' in section 5, and two of these subsections, (l) and (u), allow the addition of more agencies through regulations.

The proposal appears to enable these agencies to have direct access to AUSTRAC information, which has been collected for purposes relating to the prevention of money-laundering and terrorism funding, and to use the information for other purposes.

Restrictions on the use of information for secondary purposes, that is purposes other than those for which the information has been collected, are crucial to ensuring appropriate privacy safeguards. The existence of this information, which is collected for one purpose, should not automatically entitle other agencies to use that information.

The consequences of access by a range of designated agencies may escalate as the number of reports to AUSTRAC increases with the introduction of the proposed second tranche legislation. 

The Office encourages the Department to consider separating this issue from the current legislative reforms, and to undertake a consultation process prior to any expansion of the list of designated agencies. The Office considers that this approach will ensure that the important question of which agencies have access to AUSTRAC information, and for what purposes, is afforded appropriate scrutiny and consideration.

Access to AUSTRAC information by state and territory agencies

An important factor in ensuring an appropriate level of privacy protections to individuals'' personal information is consistent protection afforded by all organisations and agencies that will collect, hold and use the information. In that light, the proposed scheme does not appear to have consistent privacy protections for AUSTRAC information once it has been accessed and collected by State and Territory agencies. Not all state and territory Parliaments have enacted privacy legislation covering their own agencies, and of those jurisdictions that have enacted legislation, there is not uniformity in either the protections or the remedies available.

Access to AUSTRAC data by State and Territory agencies, as set out in the draft Bill, appears to largely reflect current practice. Section 99(2) of the second Exposure Draft requires AUSTRAC to obtain an undertaking from State and Territory agencies that the information will be dealt with in accordance with the Information Privacy Principles (IPPs). While this may impose some obligations on those State and Territory agencies accessing the AUSTRAC data, it is not clear whether this process allows individuals to make complaints and to seek remedies if they consider that their information has been dealt with inappropriately by one of those agencies.

Given the expansion in the scope of the financial transactions reporting regime indicated by the second Exposure Draft, the Office considers that it is important to strengthen the privacy protections which apply to the information once it has left the control of AUSTRAC, particularly where the receiving agency may not be subject to any privacy regulation. 

In its submission on the first exposure draft, April 2006, the Office offered two suggestions as to how this may be resolved (at paragraphs 45-47). 

Reporting Entities

Privacy regulation for small businesses

The Senate Inquiry called for further consideration as to whether the privacy protections in the NPPs are sufficient for the purposes of information collected and handled under this scheme. This is consistent with the Office''s view provided to the Department in its submission on the Exposure Draft (see paragraph 50 of that submission).

Retention of information

The Department provided comments to the Senate Inquiry regarding the retention of information by reporting entities. In particular:

''what we then expect of the entity is that essentially they forget that they have put in a suspect transaction report… We do not want reporting entities to be keeping records and blacklists of people who have (been) put in suspicious transaction reports.''

However, as the Office understands it, the second Exposure Bill has proposed that reporting entities retain the information contained in suspicious matter reports provided to AUSTRAC for a period of 7 years (Part 10, Division 2 of the second Exposure Draft). Moreover, the simplified outline at Part 10, Division 1 states that reporting entities will be required to retain the information for 7 years after the end of the reporting entities relationship with the individual, which could require the retention of information for potentially longer periods.

Section 95 of the second Exposure Draft precludes an individual from seeking access to their personal information under NPP 6 in relation to information being held by a reporting entity. As an individual is not able to check information that is held about them, and has no opportunity to provide clarifying details or correct errors, the Office submits that further limitations on the retention of the information by reporting entities are warranted.

As discussed in our submission on the first Exposure Draft in April 2006, the limitations on the retention of information collected by reporting entities should be determined by consideration of whether the information continues to be needed by the reporting entity, rather than by reference to an arbitrary period of time. In line with the Department''s comments above, once the report has been made to AUSTRAC, the Office contends that information should not be retained by the reporting entity unless there is a specific and clearly justified purpose for its retention. 

Retention of information by AUSTRAC

The Office questions the need for the creation of a database of suspicious matters, based on potentially subjective judgments of individuals employed by reporting entities. The Exposure Draft does not appear to include limitations on the retention of information on the database, and contains no provision for affected individuals to access and, if necessary, have the information corrected where it is inaccurate, misleading or not up-to-date.

The Office recognises that the nature of suspicious matter reporting may reasonably preclude individuals from being advised that such information has been collected, particularly in cases where an investigation may be prejudiced or otherwise compromised. However, there is the potential for negative connotations to flow from inclusion on a database of suspicious matters. 

Given the range of agencies which may have access to the information, the potential lack of experience of those who are providing the reports, and the lack of access and correction rights for individuals, there may be significant data quality issues raised by the information held by AUSTRAC. It would be good privacy practice to balance any reduction in an individual''s ability to protect their privacy, such as their ability to access information held about them, with a requirement that the information be routinely deleted from the database.

If there is no provision for individuals to check information that is held about them, and no opportunity to provide clarifying details or correct errors, there should be a regime to systematically delete information from the database. The Office recommends that where no action has been taken on suspicious matter information, AUSTRAC should delete the information after a fixed period, such as 2 years.

Transacting anonymously

Anonymity is one means by which individuals can obtain a degree of privacy. The Privacy Act 1988 (Cth) (''the Privacy Act'') recognises the value in anonymity by providing, at National Privacy Principle (''NPP'') 8, that wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation. A key privacy issue raised by the second Exposure draft lies in the risk of moving towards a culture in which individuals are required to routinely establish their identity to transact in society.

Section 110 of the second Exposure Draft makes it an offence to commence to provide a designated service on an anonymous basis. From this, it is apparent that there are many transactions where it would otherwise be practicable to be anonymous, but by operation of the Anti-Money Laundering and Counter-Terrorism Funding (AML / CTF) legislation, it will no longer be lawful to be anonymous. There is a clear shift to requiring evidence of identity as a matter of course for an expanded range of transactions, including only making enquiries about entering into a transaction. 

Requiring evidence of identity for selected transactions which have been identified as presenting a significant risk of being linked to money laundering or terrorism financing activities may be a proportionate response to the threat posed by these criminal activities. 

The Office encourages the Department to consider limits to the number and range of transactions to which the requirement for identification is required. These may include eliminating the requirement to provide identification where the individual is only making enquiries, or where the activity involves low value transactions, such as exchanging small amounts of foreign currency. 

The transaction value threshold

$10,000 Threshold

As discussed in our submission to the first Exposure Draft, the Office queries the maintenance of the threshold transaction value of $10,000. This amount has remained constant since the scheme was introduced and, as a consequence of price inflation, the reporting scheme will increasingly capture personal information regarding transactions that may not have been anticipated when the legislation was first drafted. 

In November 1993, the Senate Legal and Constitutional Committee released their report ''Checking the Cash'', a review on the operation of the FTR Act. Recommendation 2 addressed the threshold amount. It said:

''The Committee recommends that the reporting threshold for significant cash transaction reports should not be allowed to erode significantly through inflation.  To achieve this, the threshold should be adjusted periodically after consultation with cash dealers.  The aim of the adjustment should be to maintain the threshold at, or near, the present amount in real terms.''

There has been no adjustment to the threshold in the 18 years since the FTR Act was introduced. The Office appreciates that any alteration of the threshold amount imposes compliance costs on organisations which must tailor their processes accordingly. The current process of implementing new reporting obligations provides an opportunity to update the threshold amount when organisations will already be adjusting their compliance procedures. For the same reason, organisations may be reluctant to adjust their systems to incorporate an updated threshold amount in the foreseeable future. It is therefore an appropriate time to reconsider the threshold. Retention of the existing threshold will naturally result in more reports to AUSTRAC as inflation erodes the purchasing power of $10,000. 

Given that the intent of this legislation is to detect instances of money laundering and terrorism financing amongst significant transactions, the Office encourage the Department to update the threshold amount which triggers obligations under this legislation in an effort to contain the collection of personal information to that which may be reasonably regarded as necessary to meet the objects of the legislation. 

Further, it appears that the proposed legislation will apply to certain transactions where there is no threshold for reporting. The Office encourages the Department to consider setting some threshold for these transactions, so that only those of significant value trigger reporting obligations.

Privacy Impact Assessment

The Office has previously recommended that a Privacy Impact Assessment (PIA) be conducted on the operation of this legislation, ideally by an independent expert specialising in privacy issues and the conduct of PIAs. This recommendation was endorsed by the Senate Inquiry, which referred to the complexity of the Exposure Bill, the number of reporting entities and transactions covered by its operation, the amount and type of information that will be collected, and the range of agencies that will have access to the information.

The Office maintains that changes to the AML/CTF regulatory regime would benefit from a comprehensive PIA.