Chapter 4 - Privacy concerns

4.1 The Office of the Privacy Commissioner (OPC), the Australian Privacy Foundation (APF), the Office of the NSW Privacy Commissioner (NSWPC), the NSW Council for Civil Liberties (NSWCCL) and Liberty Victoria provided the committee with a non-industry perspective on the possible impact of the proposed AML/CTF regime on the privacy and civil liberties rights of individuals.[188]

4.2 In particular, the concerns raised by these organisations related to:

the lack of consultation on privacy issues prior to the release of the Exposure Bill;
the need for a privacy impact assessment for the Exposure Bill;
the wide range of entities collecting information under the regime;
the type and extent of information to be collected under the regime;
use of information collected pursuant to the regime; and
the application of the Privacy Act 1988 (Privacy Act).

Consultation on privacy issues

4.3 As noted in Chapter 3, the proposed AML/CTF regime has been developed since January 2004 in consultation between government and industry groups. NSWCCL and the APF both raised concerns that, despite this lengthy consultation period, privacy and civil liberties groups and consumer representatives were not given the opportunity to be involved in the drafting of the legislation until after the release of the Exposure Bill.[189] Ms Anna Johnson of the APF also stated that there was a lack of transparency to the process, citing the Department's reluctance to make available submissions received during public consultations in 2004.[190]

4.4 In evidence to the committee, the Department stated that while consumer advocate and privacy groups are not involved in the ministerial advisory group, parallel discussions are occurring with these organisations. It is proposed that these consultations will take the form of an ongoing body which will meet quarterly; and it is anticipated that the Minister would attend one or two of those meetings.[191]

4.5 AUSTRAC also confirmed that the Department and AUSTRAC have been involved in discussions with privacy, civil liberties and consumer groups, and that issues about coverage of the Privacy Act are being dealt with between the OPC and the Department. Further:

All matters raised during the consultation period, including in submissions to this Committee, will be taken into account in reviewing the drafting of the Bill and the Rules. AUSTRAC is consulting with the Privacy Commissioner’s office on the draft Rules and on guidance which will underlie the Rules, both directly and through its Privacy Consultative Committee, which also includes privacy, civil liberties and consumer groups.[192]

Privacy impact assessment

4.6 The committee's attention was directed to the issue of whether the potentially invasive measures in the Exposure Bill are necessary and proportionate to the risks they are meant to address; namely, money laundering and financing terrorism. [193]

4.7 To address this concern, the OPC suggested that a Privacy Impact Assessment (PIA) be performed for the legislation. The OPC described a PIA as:

... an assessment tool that describes, in detail, the personal information flows in a project, and analyses the possible privacy impacts of the project. A PIA may assist in identifying and evaluating the impact of such matters as the Exposure Bill’s coverage and issues around uses and disclosures of personal data.[194]

4.8 The OPC indicated that it had previously recommended to the Department that a PIA be conducted on the legislation:

The Office provided comments to the Criminal Justice Division (CJD) of the Attorney-General’s Department on a draft of the Anti-Money Laundering Bill 2004 on 14 January 2005. In these comments the Office suggested that at the end of the second round of consultations, it would be useful for the CJD to conduct a Privacy Impact Assessment (PIA) regarding the next version of the Bill.

The Office believes that PIAs are a good practice approach to assessing the privacy risks associated with projects that have complex information flows.

... Accordingly, I anticipate that the Office will again recommend to the Attorney-General’s Department as part of our response to their request for comments on the Exposure Draft that they should consider undertaking a PIA.[195]

4.9 In evidence to the committee, Mr David Vaile of the APF also indicated its support for a PIA.[196] Mr Stephen Blanks of the CCL supported both a PIA and a human rights impact assessment for the Exposure Bill.[197]

4.10 The Department indicated to the committee that, at this stage, the Minister has not agreed to a PIA being conducted for the Exposure Bill.[198]

4.11 In view of the far-ranging nature of the provisions contained in the Exposure Bill, the committee is of the view that a PIA would be beneficial.

Range of entities collecting information

4.12 The APF pointed out that there has been no attempt to quantify the number of entities expected to be captured by the various types of services listed in section 6 of the Exposure Bill.[199] This makes it difficult to ascertain the extent to which some reporting entities will be covered by the National Privacy Principles (NPPs) in the Privacy Act. However, what is known, is that:

... [i]f enacted in its current form and with both tranches implemented, the Exposure Bill will impose personal information collection and disclosure obligations on far more entities than is currently the case under the FTR Act.[200]

4.13 A number of submissions also raised concerns about the use of reporting entities for performing security surveillance. Mr Luke Lawler from the Credit Union Industry Association (CUIA) described the situation as follows:

There is a kind of deputisation of the entire financial sector to gather information on people and report information on people to a vast number of federal agencies.

4.14 NSWCCL described the regime as 'drastically reducing' the extent to which government and government agencies will be accountable for Australia's national security and intelligence regime.[201]

Type and extent of information to be collected under the regime

4.15 Submissions and witnesses raised concerns with respect to the wide range of information to be collected by reporting entities under the regime.

Customer identification information

4.16 The APF considered that the customer identification procedures in Part 2 of the Exposure Bill are contrary to the principle of anonymity provided for in NPP 8; that is, wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.[202] The APF was particularly concerned at the effect on individuals' ability to search for an acceptable financial advisor without identifying themselves.[203]

4.17 Mr Raj Venga of the Australian Association of Permanent Building Societies also argued against aspects of the identification process, anticipating that they would be regarded by customers as overly intrusive:

We do not believe that the government and its agencies have properly considered how intrusive the customer identification and monitoring requirements of the bill and rules actually are. We see such intrusion as a bad thing. The fact of the matter is that the overwhelming majority of our members—almost all of them—are neither money launderers nor terrorists. Customers will not welcome the prospect of providing ID information—although they do it now on a limited basis—or responding to queries in relation to the source of funds, income and financial assets or their financial situation. These are personal and confidential matters that customers would understandably not wish to share, unless absolutely necessary in relation to the designated service—for example, applying for a loan. If a customer chooses not to cooperate, do we terminate our business relationship with the customer? And are we required to lodge a suspect matter report on the basis that the customer has not been forthcoming in providing this information?[204]

4.18 American Express considered that the scope of the minimum customer information required under the Rules is unnecessarily wide:

For the purpose of issuing a relatively low risk product such as a credit card, it is of no business value to record: place of birth, nationality or country of residence. Verifying these particulars would be disproportionately costly and labour intensive and would yield no information of regulatory value for AML/CTF purposes. In addition, such information of necessity becomes a surrogate for identifying ethnicity, which in turn may lead to inappropriate assumptions being used as a basis for decision-making. The legitimate objectives of privacy and anti-discrimination laws may thus be undermined.[205]

4.19 In response to this comment, the Department and AUSTRAC pointed out that American Express' concerns appeared to be directed to a draft version of the customer identification Rules, which had included a list of specific prescribed requirements. The Department indicated that these Rules would be redrafted to reflect a more risk-based approach. [206]

4.20 In an answer to a question on notice, AUSTRAC confirmed that the policy in relation to customer identification has changed since the committee's hearing:

The Bill will be redrafted to provide for customer identification programs, to be developed by reporting entities, which take into account the level of risk in determining what identification process is to be applied to particular customers. Draft Rules have been prepared reflecting this change. Those Rules are currently with industry working groups but will be made more widely available after industry's views have been received. This will include discussions with the Privacy Commissioner’s office.[207]

AML/CTF Programs

4.21 The AML/CTF Program requirements also triggered concerns from a privacy perspective; namely, the volume and type of information being provided to reporting entities under the customer due diligence requirements in the AML/CTF Program Rules.

4.22 The APF stated that reducing the risk of money-laundering and counter terrorism should not require monitoring of all customers and all transactions. The APF submitted that the 'floor' for the minimum 'Know Your Customer' information is set too low and the additional 'Know Your Customer' information and enhanced due diligence requirements are likely to apply to too many customers.[208]

4.23 The APF acknowledged that there was provision for full or partial exemption from identification procedures for some low-risk services. However, in its view, the drafting of such exemptions should not be 'left to the discretion and judgement of AUSTRAC to make in Rules'.[209]

4.24 Further, privacy implications are likely to arise from the requirement that reporting entities assign customers a risk classification.[210] The APF and the NSWPC noted that an assessment that a customer is 'higher risk' will potentially have an adverse affect on the customer, and the Exposure Bill lacks a review mechanism for a customer to challenge the risk assessment.[211]

Impact of extensive 'suspicious matters' reporting obligations

4.25 Part 3 of the Exposure Bill provides that reporting entities must report certain 'suspicious matters' and transactions to AUSTRAC. 'Suspicious matters' is not defined in the Exposure Bill. The matters to be taken into account in determining whether there are reasonable grounds to report a suspicious matter will be set out in the Rules. Proposed subsection 39(4) makes it an offence if reporting entities fail to notify AUSTRAC of suspicious matters.

4.26 Five issues were raised in submissions and in evidence to the committee, regarding the obligation on reporting entities to report suspicious matters:

the lack of precision in the definition of suspicious matters, particularly that the matters are not necessarily restricted to reports regarding money-laundering or terrorist financing;
the probability of over-reporting of suspicious matters by reporting entities to avoid prosecution;
the potentially discriminatory impacts of the reporting obligation;
the lack of notice and openness in relation to the reporting regime, given that there is no requirement that reporting entities inform their clients that a suspicious matter report has been made to AUSTRAC; and
the potentially conflicting obligations of employees of reporting entities to make suspicious matter reports, but not to tip off customers.[212]

4.27 The APF argued that the whole concept of reporting 'suspicions' by employees of reporting entities who are not qualified and trained investigators is inherently flawed:

The criteria suggested in AUSTRAC guidance on suspect transaction reporting have always been highly subjective. The draft AML/CTF Rules and Guidelines for suspicious matter reporting which accompany the draft Bill are no better. They include appearance and behavioural factors as well as supposedly factual matters which there is no reason for employees of reporting entities to know.[213]

4.28 The APF argued further that the result of such broad and subjective guidance, and of the penalties for failure to report, would be either:

Even greater intrusion into customers' personal affairs, often based on 'guesswork', and/or,

Over-reporting because of an absence of information – 'to be on the safe side'.[214]

4.29 NSWCCL highlighted the potential impact of the obligation to report suspicious matters with other elements of the Exposure Bill:

Part 9 (Countermeasures) of the proposed legislation allow the government to prohibit financial transaction to and from residents of particular countries. The combined effect of these provisions could be to encourage unwarranted 'suspicion' against persons of particular ethnic backgrounds or appearances. If so, this may create discrimination against individuals from non English-speaking backgrounds, because their behaviour, language, and lack of familiarity with Australian institutions and laws could lead to false 'suspicions [matter]' reports against them.[215]

4.30 In response to arguments suggesting 'racial profiling' may be a consequence of the suspicious matters reporting requirements, the Department had the following comments:

If a person’s appearance and behaviour give rise to suspicion on the part of the bank then there would be an obligation to report. I do not see how we can write into the legislation 'as long as you don’t form that suspicion on a racist basis'. I think there are limits to what the legislation can do. If we decide that we want suspicions reported then some suspicions will be reported, if people do it properly. Some of those suspicions will be groundless and some will be based on things they should not base suspicions on.[216]

4.31 When asked about the training of staff to report suspicious matters and transactions, the Department said:

I suggest that in relation to the question on how you are going to train staff to recognise risks and so on, there is at least an attempt in this bill to ensure that the programs require that sort of training for staff, whereas if you look at the existing FTR Act there is just the broad obligation. We recognise that experience will build over time and that at least there is an attempt to build a platform.[217]

4.32 The OPC noted that the reporting obligation in proposed section 39 goes beyond the reporting of information in relation to money-laundering and terrorism offences themselves.[218] Liberty Victoria highlighted that the obligation extends even beyond information which might be relevant to serious offences, to encompass any offence – state or federal, and offences against foreign laws.[219]

4.33 Mr Luke Lawler of the CUIA told the committee of the experience in the US when similar legislation was introduced:

One of the lessons from the experience of the United States is on the sheer number of reports being filed. There was an incredible increase in the number of suspicious activity reports that were being filed, so the financial intelligence unit over there was flooded with these reports with personal information about individuals, to the point where they were trying to advise industry to ease off a bit and be a bit more selective about the kinds of reports they were lodging. But industry was concerned because there were some high profile cases where some regulated entities were hit with very big fines for having inadequate anti-money laundering regimes. So in order to avoid any prospect of being prosecuted, they were pumping out these suspicious activity reports.[220]

4.34 Similarly, Ms Rhonda Luo of the NSWCCL told the committee that there was no utility in a system which generates over-reporting:

Over-reporting is also very likely to result in misinformation being collected against individuals. If the object of the legislation is to identify and prevent international financial crimes, there is simply no use in having a large volume of possibly useless and wrong information against our citizens. It is possible that many innocent people will be caught up in these measures. More experienced, if I may say that, money launderers and financiers will be more likely to escape the simple pitfalls in the legislation.[221]

4.35 To rectify some of these problems, NSWCCL suggested that there be provision in the Exposure Bill for:

notification to be given to customers at the beginning of a business relationship that business and service providers are required to report their financial activities that are regarded as 'suspicious';
ex post facto notice to be given to individuals that a suspicious matter report has been made; and
mechanisms by which individuals may be warned against financial products or transactions that are likely to generate a suspicious matter report.[222]

4.36 The Department justified the suspicious matters reporting requirements on several grounds. In its view, the legislation builds on what is already in the FTR Act, since the key parts of the reporting requirement provisions are taken word for word from the existing Act:

Those provisions have been there since 1988 and the number of suspicious transaction reports has gradually risen during that period from a fairly low level to the level that it is now at. They have never produced the sorts of problems which people are now saying that these provisions will produce.[223]

4.37 Further:

In relation to the privacy issues, I hear what they say... But I do not know that there is a solution to some of the issues that they have raised. But what we then expect of the entity is that essentially they forget that they have put in a suspect transaction report, because it becomes the responsibility of AUSTRAC and the law enforcement agencies to decide whether to take action. We do not want reporting entities to be keeping records and blacklists of people who have put in suspicious transaction reports. [224]

Secrecy and access

4.38 The privacy implications of the wide collection requirements outlined above are compounded by the secrecy provisions in Part 11 of the Exposure Bill and, in particular, their application to suspicious matters reporting.

4.39 Ms Anna Johnson of the APF made the following comment on the provisions:

We reserve our strongest criticism for the notion of secret reporting of suspicious matters. In our view, the concept of secret files compiled on the basis of amateur assessments and wholly subjective criteria is inconsistent with a free society.[225]

4.40 Having noted that the information in suspicious matter reports could be of 'dubious quality', because the reports are based on the subjective judgement of the employees of reporting entities, NSWCCL went on to say:

... [t]he proposed regime also offends against individuals' access and correction rights under privacy laws, as the privacy-exempt suspicious transactions list thus created will be exempt from [Freedom of Information] law. It is uncertain how AUSTRAC will deal with information that appears to be unreliable, but it is submitted that the object of the legislation – prevention of terrorist financing – cannot be met if government or international investigations proceed on unreliable information. CCL notes that these secrecy provisions go beyond any existing regime in Australia, and even beyond the controversial wire-tapping laws in the United States.[226]

4.41 NSWCCL also suggested that there should be a notification given to customers at the beginning of a business relationship that business and service providers are required to monitor their financial activities.[227]

4.42 Representatives from the Department and AUSTRAC responded to the concerns with respect to secrecy as follows:

The only tipping-off provisions in here are if you have put in a suspicious transaction report, you are not allowed to tell people that you have put in the report.

... [T]here will be nothing at law stopping them from saying, if they wanted to, 'We consider you to be a high risk.' All they are not allowed to disclose is if in fact something has triggered an actual suspicion rather than a view that the customer is high risk. Somebody can be a high risk customer and never raise a suspicion, because even though they are high risk, their business is completely legitimate. It is only about putting in the suspicious matter report that the tipping off provision applies. If a customer comes to bank or a casino under privacy laws and asks whether they have been classified as high risk, I do not see that there is any way they can refuse to tell them.[228]

Need for public education campaign

4.43 The committee heard that there is a need for a public education campaign about the implications of the new regime. For example, Mr Luke Lawler of the CUIA told the committee that he anticipated that credit union customers would not react positively to a number of elements of the regime:

Credit unions and other regulated entities will be required to collect baseline information on all customers. They will have to give all customers a risk classification, they will have to identify customers and services that pose a high risk, and they will have to collect quite detailed information on some customers and carry out transaction monitoring. Regulated entities will be obliged to report suspicious matters, even in cases where there is no actual transaction. Because of the impact on customers of these proposals, we have said from the outset that a significant public education campaign will be needed to explain why your financial institution will be asking you for more information about your personal affairs. We think this will come as a shock and a surprise to a lot of customers.[229]

4.44 Mr Lawler emphasised that such a public awareness campaign should inform customers that the actions taken by reporting entities are due to legislative requirements and are not being taken merely of their own volition:

We would anticipate that, depending on the extent to which one has to gather this sort of additional information on customers beyond what is gathered in the ordinary course of business now, many of our members would be quite affronted and quite surprised at being asked to provide this sort of information. Even some of the baseline information that is proposed to be provided includes, for example, place of birth. If you provide a birth certificate as ID, that is all taken care of but if you provide, for example, a drivers licence as ID, you are not necessarily disclosing your place of birth. Nevertheless, the regulated entity will have to ask you for your place of birth. Some people might find that unnecessary and a little creepy...

[W]e will be quite keen to explain that if we have to collect this sort of information—and in cases where someone fits a profile of possibly a high risk or a high-risk product, we will have to go and get some more information on them—we will want them to be aware that this is a legislative requirement and that we are not doing this simply to intrude in their personal affairs.[230]

4.45 The Department noted that it had considered the need for an awareness campaign to inform the public that these obligations stemmed from government and not from industry. The Department has given a commitment that such a campaign will take place, although the appropriate time for such a campaign remains to be determined.[231]

Use of information

4.46 Not only does the Exposure Bill provide for the collection of a great deal of additional material, it would also permit the use of that information for a wide range of purposes that arguably go beyond the objectives of the legislation. This has obvious privacy implications.

4.47 This issue has two elements: the first is the uses permitted by reporting entities of information collected from their customers; the second is the extent of AUSTRAC's authority to disseminate information contained in its system to other agencies.

Use of information for secondary purposes

4.48 Some submissions and evidence drew to the committee's attention the issue of use by reporting entities of information collected under the regime for secondary purposes. This matter is particularly relevant to those reporting entities not bound by the NPPs (discussed below).

4.49 As an example of the potential misuse of this information, Ms Anna Johnson of the APF drew the committee's attention to a recent article in the Law Society Journal that promoted the benefits of the Exposure Bill as a way of generating further business because reporting entities will be required to know more about their customers' finances.[232] The article pointed out that the Exposure Bill would allow lawyers to have 'at their fingertips' information that would effectively allow them to sell a raft of additional services to their customers.[233]

4.50 This article raised the concern that reporting entities could use the proposed legislative requirements to compulsorily collect a wide range of personal customer information and use it for the general purposes of marketing and profiling.

Access to AUSTRAC-held data

4.51 Division 4 of Part 11 of the Exposure Bill provides for government agencies to access information held by AUSTRAC. In particular, proposed section 99 provides for AUSTRAC to grant access to 'designated agencies' 'for the purposes of performing the agency's functions and exercising the agency's powers';[234] that is, for purposes that may be completely unrelated to AML or CTF. Designated agencies are defined in proposed section 5, and include not only law enforcement agencies such as the Australian Federal Police, but also a wider group of agencies including the Child Support Agency and Centrelink. Further provision is also made to disseminate information to 'an authority of agency of a State or Territory, where the authority or agency is specified in the regulations'.[235]

4.52 The scope of the information dissemination by AUSTRAC pursuant to this provision raised some concerns. The OPC understood that the intention is that agencies with current access to AUSTRAC data under the FTR Act would retain that access, and it will be up to AUSTRAC to decide if other agencies are able to access information collected under the Exposure Bill.[236] The OPC's view on such an arrangement was that:

... the replacement of the FTR Act with new legislation with its greater scope and impact does not, of itself, necessarily justify the continuance of the present data-sharing arrangements so as to permit access to the welfare and assistance agencies. In the event that the welfare and assistance agencies are to be given access to AUSTRAC data, then a statement of the legislative objects of the Exposure Bill should reflect an intention to allow such agencies to scrutinise the AUSTRAC data for their purposes. Accordingly, community consultation should be conducted expressly on this policy setting.[237]

4.53 The OPC suggested that proposed section 99 be amended 'to a more privacy sensitive form' in which access to AUSTRAC-held data is restricted to purposes consistent with and relevant to the underlying purpose of the AML/CTF scheme.[238]

4.54 A representative of AUSTRAC clarified the scope of the information-sharing provisions of the Exposure Bill:

... section 99(1) of the bill allows AUSTRAC to authorise specified officials of specified designated agencies. It does not allow us to decide which agencies may have access. The designated agencies are those agencies listed in section 5 under the definition. That provision is about what we do now, which is not specifically set out in our Act. In our MOUs with our partner agencies, we actually specify a limited number of officers who have access to our information. This is a provision that legislatively for the future will require us to specify them. So it is not like AUSTRAC can say, 'These are more agencies, other than are on the face of the bill, that can have access to our information.'

4.55 On the issue of the purposes for which designated agencies could access AUSTRAC-held data, representatives of AUSTRAC and the Department said:

Some of this comes back to the questions about the definition of money laundering and the fact that the predicate offences for money laundering are extremely broad ... [S]ome of those issues are matters of government policy about who should have access to our information and for what purposes.

4.56 In an answer to a question on notice, AUSTRAC noted that FTR information currently available to designated agencies is used to combat money laundering:

The FTR information available to the designated agencies assists them to stop illegal conduct which would otherwise result in the laundering of money. If the agencies were not able to use the information to identify and prosecute offenders for predicate offences, where money laundering has not occurred because of the timing of the identification and investigation of the predicate offence, then the success of Australia’s very effective anti-money laundering program would be severely diminished.[239]

4.57 The Department also noted specifically in relation to tax that the close relationship between tax, tax evasion and money laundering, and the fact that the taxation power underpins the FTR Act, makes it appropriate for the ATO to have access. The Department undertook to consider the other comments in relation to which matters should be made explicit in the objects clause.[240]

Application of the Privacy Act

4.58 An important consideration in assessing the privacy implications of the Exposure Bill is the extent to which protections afforded by the Privacy Act apply to both AUSTRAC and government agencies, and the various service providers that would become reporting entities under the Exposure Bill.

AUSTRAC

4.59 A number of submissions noted that the Exposure Bill does make provision for AUSTRAC to obtain assurances from state, territory and foreign agencies about compliance with the Information Privacy Principles (IPPs) in the Privacy Act. However, the submissions questioned the enforceability of such assurances and what remedies individuals may have in the event that their privacy is interfered with.[241]

4.60 In response, AUSTRAC indicated to the committee that:

... the memoranda of understanding that we currently have with our state and territory partner agencies actually state that they undertake to comply with the information privacy principles.[242]

Application of the National Privacy Principles to reporting entities

4.61 The NPPs in the Privacy Act regulate the collection, use and disclosure and handling of personal information by private sector 'organisations'. Reporting entities that are 'organisations' for the purposes of the Privacy Act will be required to comply with the NPPs.

4.62 The OPC outlined its concern that many of the privacy protections offered in the NPPs, such as the obligations in relation to data quality, notice and openness, will only apply to reporting entities to the extent that they are 'organisations' – as defined in the Privacy Act.[243]

4.63 Of particular concern is the fact that 'small businesses' – that is, businesses with an annual turnover of $3 million or less – are generally exempt from the NPPs.[244] NSWPC had the following comment in this regard:

It is out experience that many small businesses are either not very familiar with best privacy practice or choose not to follow it for a variety of reasons, predominantly because they do not have an obligation under the law to protect personal information of individuals. We receive a steady stream of complaints from members of the public alleging privacy breaches by medium and small businesses of the like that are likely to become reporting entities under the Bill. Unfortunately, under the current legislative regime neither state nor federal privacy agencies have effective powers to deal with such complaints.[245]

4.64 Witnesses before the committee demonstrate the mixed extent to which the NPPs might apply to reporting entities:

All members of the Credit Union Industry Association are subject to the NPPs, because even those members to whom the NPPs did not apply had opted into the regime.[246] This is probably also the case for members of the Australian Association of Permanent Building Societies.[247]
Some members of the Institute of Chartered Accountants in Australia are subject to the NPPs but not all.[248]
Most members of the Financial Planning Association of Australia are subject to the NPPs, either because they are required to under the Privacy Act, or they had opted into the regime.[249]

4.65 The OPC, the NSWPC, and the APF all recommended that, given the personal and sensitive nature of the information being handled, all reporting entities should have privacy obligations imposed on them that are at least equal to the requirements of the NPPs.[250] The APF went further in suggesting that the Exposure Bill should be amended to specifically remove from reporting entities any exemption they may enjoy under the Privacy Act.[251]

4.66 The OPC also stated that the Exposure Bill should include additional privacy provisions which are consistent with the Privacy Act for all reporting entities, regardless of size or type.[252] The OPC made the following suggestions as to how this could be achieved:

Through privacy protections set out in a Schedule to the Exposure Bill, with an enforcement provision to the effect that a breach of the protection measures constitutes interference with the privacy of an individual for the purposes of section 13 of the Privacy Act.
Amending the Privacy Act to specifically incorporate privacy with respect to AML/CTF.
Including privacy provisions by way of an enforceable rule under section 191 of the Exposure Bill.
Regulations under section 6E of the Privacy Act to include small businesses as 'organisations' for the purposes of the AML/CTF legislation.[253]

4.67 In the course of the public hearing, the Department acknowledged that the issue of the small business exemption to the NPPs was an issue that the Federal Government would have to, and will, address.[254]

Retention of information

4.68 An associated issue is the rules regulating the retention of information gathered by reporting agencies pursuant to the proposed regime. Part 10 of the Exposure Bill sets out the record-keeping requirements for reporting entities, and public comment has been invited on the duration of retention periods for records and documents.

4.69 The OPC considered that, while any period may be arbitrary, some guidance could be taken from the NPPs, which provides for the destruction of that personal information once it is no longer needed for any purpose for which the information may be used or disclosed. In the OPC's view such an approach highlights that there must be a 'specific and clearly justified' purpose for the retention of personal information.[255]

4.70 The APF also referred to the NPPs, and stated that the retention period should be for the shortest period possible to fulfil the objectives of the legislation. The APF noted that while there may be a temptation to set long or indefinite retention periods on the basis of a hypothetical utility, this should be resisted, particularly for suspicious matter reports which are 'hidden' from the subject.[256]

4.71 In considering the period for retention, Liberty Victoria suggested a period of five years, stating that anything outside of that time frame is:

... likely to be of limited value in money laundering or terrorism offences which are far more likely to occur contemporaneously with the transaction.[257]

Committee view

4.72 Despite expressing optimism in the previous chapter that the majority of outstanding issues will be resolved before finalisation of the regime, the committee does remain concerned about the apparent lack of formal consultation with privacy, civil rights and consumer representative groups in the development of the regime to this point. The committee is of the view that this may have resulted in some fundamental privacy, consumer and civil rights issues being overlooked. Nevertheless, the committee is also hopeful that these issues will be addressed through the parallel discussion groups established by the Department.

4.73 The committee notes the OPC's suggestion that an independent PIA would be useful in relation to the Exposure Bill. The committee agrees with this view and believes that a PIA would be beneficial in achieving a more balanced approach to the AML/CTF regime. This is particularly important given the complexity of the Exposure Bill, the vast number of reporting entities and transactions covered by the Exposure Bill's operation, the amount and type of information to be collected, and the ability of various agencies to access that information. The committee therefore strongly suggests that such an assessment be conducted.

4.74 The committee also notes that the Federal Government intends to address the issue of the small business exemption to the NPPs in relation to reporting entities. However, the committee believes that the concerns raised in submissions and evidence highlight a larger problem in relation to the privacy obligations of reporting entities. The committee's view is that any PIA should include a review as to whether the privacy protections set out in the NPPs are sufficient for the purposes of the information being collected and handled by reporting entities.

4.75 If it is found that the privacy protections in the NPPs are not sufficient for the purposes of reporting entities, then adequate privacy protections could usefully be included in the AML/CTF legislative package. If the privacy protections in the NPPs are considered adequate for the purposes of reporting entities, then the Federal Government should ensure that all reporting entities are made subject to privacy obligations equivalent to those contained in the NPPs.

4.76 In line with a further suggestion by the OPC, the committee also considers that the Exposure Bill should contain a clear objective statement that is reflective of the intention to allow federal, state and territory agencies, including welfare and support agencies, to access and utilise AUSTRAC data for their own purposes – purposes which may not be related in any way to AML or CTF.

4.77 The committee considers that such a statement should be included in the final version of the bill to make it clear at the outset that this may occur.

Senator Marise Payne
Committee Chair

Navigation: Previous Page | Contents | Next Page