Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Exposure Draft – Combating the Financing of People Smuggling and Other Measures Bill 2010

Submission to the Attorney-General’s Department - December 2010


Key recommendations

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the Attorney-General’s Department (AGD) on the Exposure Draft oft he Combating the Financing of People Smuggling and Other Measures Bill 2010.The draft Bill is of interest to the OAIC in its capacity as the national privacy regulator with responsibilities relating to the credit reporting system and the spent convictions scheme.

In summary the OAIC makes the following comments and recommendations:

  1. The OAIC welcomes the draft Bill’s adoption or reflection of many of its previous suggestions for enhancing the privacy protections in relation to the electronic verification of identity (e-verification). These protections reflect a range of ‘privacy fundamentals’, such as individual choice and control; adequate notice; limits on disclosure, use and retention; and appropriate sanctions for mishandling. Noting that the personal information in the credit reporting system is collected and held for other purposes (the assessment of individuals’ creditworthiness by credit providers),these protections balance the expanded use of that information.
  2. To make it clear that a breach of the provisions in Schedule 2 of the Bill (on e-verification) is an interference with privacy under the Privacy Act 1988 (Cth), the Bill should introduce a note to that effect under sections 13 and 13A of the Privacy Act (which deal with interferences with privacy).
  3. As mismatches of personal information provided by individuals and that held by credit reporting agencies could have negative consequences for individuals, the OAIC encourages the availability of a dispute resolution process for such circumstances.
  4. Appropriate oversight mechanisms should be in place to monitor the handling of credit information for e-verification. For example, this may include mandatory reporting obligations for credit reporting agencies and reporting entities concerning their e-verification activities.
  5. The Explanatory Memorandum should be amended so that references to the ‘Privacy Commissioner’ are updated to the ‘Australian Information Commissioner’, who now formally holds the powers and functions in the Privacy Act (supported by the Privacy Commissioner and the Freedom of Information Commissioner).
  6. In the context of registration of remittance dealers (Schedule 1 of the Bill), the OAIC welcomes the fact that the Bill will not affect the operation of Part VIIC of the Crimes Act 1914 relating to spent convictions (old minor convictions protected from disclosure).

Office of the Australian Information Commissioner

  1. The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency established by the Australian Information Commissioner Act 2010 (AIC Act).The OAIC commenced operation on 1 November 2010 and is headed by the Australian Information Commissioner (AIC), supported by two other statutory office holders, the Freedom of Information Commissioner and the Privacy Commissioner. Staff of the former Office of the Privacy Commissioner are now part of the OAIC.
  2. Together the Commissioners of the OAIC exercise two broad functions:
    1. the freedom of information (FOI) functions set out in section 8 of the AIC Act, and
    2. the privacy functions set out in section 9 of the AIC Act. These include functions outlined in the Privacy Act itself. For example, section 28A confers functions such as investigations of credit infringements by credit providers and credit reporting agencies (CRAs); audits of credit information files and reports; and advice and guidance to relevant parties.
    The Australian Information Commissioner also exercises the Information Commissioner functions set out in section 7 of the AIC Act.

Purpose of the proposed Bill

  1. The OAIC understands that the draft Combating the Financing of People Smuggling and Other Measures Bill 2010 (the draft Bill)[1] proposes to amend the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act) and the Privacy Act 1988 (Privacy Act),with two main aims:
    • Remittance sector regulation – introducing a more comprehensive regulatory regime for the remittance sector, to reduce the risk of money transfers by remittance dealers being used to fund people smuggling and other serious crimes
    • E-verification – enabling businesses regulated under the AML/CTF Act (reporting entities) to collect and use limited personal information derived from an individual’s credit information file for electronic verification purposes, to effectively and efficiently verify customers’ identity in compliance with AML/CTF Act obligations.[2]

Background to E-Verification

  1. This submission focuses on Schedule 2 of the draft Bill relating to e-verification involving the credit reporting system, subject to one query relating to the spent convictions scheme and regulation of the remittance sector in Schedule 1.
  2. The Australian Law Reform Commission (ALRC) considered the question of the use of credit reporting information for electronic verification in its Report 108 (2008), For Your Information: Australian Privacy Law and Practice (ALRC Report 108).[3] The ALRC recommended that ‘the use and disclosure of credit reporting information for electronic identity verification purposes to satisfy obligations under the AML/CTF Act should be authorised expressly under the AML/CTF Act’.[4]
  3. However, the ALRC also said that before this recommendation can be implemented there should be further consideration of measures to protect privacy. For example:
    • legislation prohibiting reporting entities from secondary uses or disclosures of credit reporting information obtained for identity verification purposes
    • reporting entities having positive obligations to seek consent from individuals before using credit reporting information to verify identity, and
    • requiring reporting entities to have processes in place to resolve mismatches of the information that individuals provide.[5]
  4. As the Explanatory Memorandum to the draft Bill notes, in its response to ALRC Report 108, the Australian Government agreed in principle to the above recommendation.[6] Subsequently the Attorney-General’s Department commissioned a Privacy Impact Assessment (PIA) to investigate appropriate privacy protections. The OAIC (then as the Office of the Privacy Commissioner) and other interested parties were consulted as part of the PIA process. The outcomes of the PIA informed the development of this draft Bill.[7]
  5. In its 2007 submission to the ALRC’s inquiry,the Office of the Privacy Commissioner commented on the potential use of credit reporting information for e-verification.[8] That submission suggested that the credit reporting system should not be subject to expanded uses and disclosures that are unrelated to its original purpose, that is, the assessment of an individual’s eligibility for credit.
  6. However, this Office recognises that electronic commerce is becoming more widely used in the community, including by individuals in their day-to-day transactions with businesses. In light of this trend, it may be that the community now accepts this expansion of the uses of identification information on credit information files, for specific, limited purposes and where there are strong safeguards,as a reasonable adaptation.
  7. Accordingly, in the period since the ALRC’s inquiry, this Office has suggested that any proposal for allowing use of credit reporting information for e-verification purposes should undergo a public consultation process, including the release of exposure draft legislation for comment, and the inclusion of adequate controls to protect personal information. The OAIC welcomes the Australian Government undertaking this consultation in line with that suggestion. The OAIC also welcomes the consultation on, and publication of, the Attorney General’s Department’s PIA on e-verification.[9]

Office engagement and privacy safeguards for e-verification

  1. The Attorney General’s Department has engaged various agencies on the development of the draft Bill and this Office has provided comments on a number of occasions. The OAIC welcomes the fact that many of its previous suggestions for enhancing the privacy protections in the Bill have been adopted or reflected in some way in the exposure draft.
  2. Under the proposed protections:
    • reporting entities under the AML/CTF Act can only use personal information held on an individual’s credit information file for the purposes of electronic verification of customer identity[10]
    • before making a verification request in relation to an individual, a reporting entity must provide the individual with information about the verification process, including reasons for making the request[11]
    • the individual’s express consent is required in order to use their credit file for e-verification purposes[12]
    • reporting entities must make available to the individual an alternative means of verifying the individual’s identity[13]
    • reporting entities must notify their customers of unsuccessful attempts to verify identity using credit reporting data[14] (see also paragraph 19 of this submission)
    • credit reporting agencies (CRAs) and reporting entities must delete information about verification requests after a specified retention period (the draft Bill proposes seven years, which is understood to align with other AML/CTF retention requirements)[15]
    • CRAs must keep information about verification requests separate from the individual’s credit information file[16]
    • there are offences and penalties to address unauthorised access to,and use and disclosure of, verification information[17]
    • in addition, a breach of certain personal information handling obligations (see para 15 below) will be an ‘interference with the privacy of an individual’ under the Privacy Act.[18]
  3. Together, these protections reflect a range of ‘privacy fundamentals’, such as individual choice and control; adequate notice; limits on disclosure, use and retention; and appropriate sanctions for mishandling. Noting that the personal information in the credit reporting system is collected and held for other purposes (the assessment of individuals’ eligibility for credit by credit providers), such protections balance the expanded use of personal information.
  4. In addition to welcoming this series of measures, this submission also makes several suggestions below that the OAIC believes would improve the privacy protections within the draft Bill.

Specific comments on Schedule 2 – E-Verification

Breach of requirement is an interference with privacy

  1. As noted above, under Division 5A, paragraph 35L of the draft Bill, a breach of a requirement of the Division (other than a breach of paragraph 35E or 35F), will be an ‘interference with the privacy of an individual’ for the purposes of section 13 and 13A of the Privacy Act. This makes it possible for the Australian Information Commissioner to receive complaints about the mishandling of personal information in addition to the Bill’s offence provisions.[19]
  2. To assist individuals and others to be aware of all the practices that are ‘interferences with privacy’, it would be useful to include a note under sections 13 and 13A of the Privacy Act (which deal with interferences with privacy) about these new provisions in the AML/CTF Act.

Method for credit reporting agencies’ (CRAs) information matching and response

  1. Paragraph 35B(2) of the Bill limits the information that a CRA may provide to a reporting entity as part of an assessment in response to a verification request. The CRA may only provide an overall assessment of the extent of the match between the personal information it holds, and that provided by the reporting entity. The Bill does not refer to any specific ‘method’ for returning a match. However, the OAIC understands this is likely to mean the assessment will contain an aggregate score, or ranking, which reflects the extent of the match across all fields of personal information that were checked (name, date of birth and address).[20]
  2. In order to limit information flows to those which are necessary, where practicable the OAIC suggests that information disclosed for verification purposes could be limited to a ‘yes/no’ (or ‘challenge/response’) confirmation of the relevant personal information. The OAIC understands that this has been considered in the present context, however, potential ‘minor’ error rates and the ability to protect the system from fraud may mean that a scoring system is more appropriate than a ‘yes/no’ response model. In other contexts, beyond this Bill, ‘yes/no’ models of verification may be more appropriate.

Resolving mismatches

  1. The OAIC suggests that appropriate dispute resolution processes should be in place to resolve claims that there was not a sufficient match in an e-verification process (that is, there was a mismatch of some information). Inaccuracies on a credit information file, such as the misspelling of an individual’s name, could return a low match score which reflects negatively on an individual’s relationship with the reporting entity. However, the mismatch may have been caused due to an error on the credit reporting system rather than an indication of fraudulent activity.[21] On this basis, the OAIC would encourage the availability of dispute resolution processes for resolving mismatches between the information individuals provide and the information held by CRAs This could link into paragraph 35C of the Bill, which requires notification of unsuccessful matches.

Oversight mechanisms

  1. To supplement the proposed safeguards and ensure good governance, appropriate oversight mechanisms should be in place to monitor the handling of credit information for e-verification. This is particularly relevant given the considerable period of retention of information about verification requests specified in the draft Bill.
  2. For example,oversight mechanisms could include some combination of the following:
    • The OAIC’s existing power to undertake audits in the credit reporting sector could be expanded to monitor compliance by reporting entities and CRAs with the draft Bill’s requirements (the OAIC notes that such an expansion would have resourcing implications for this Office).
    • CRAs could be required to report any misuse or non-compliance by reporting entities (such as not obtaining the individual’s consent for e-verification), and to suspend or cancel e-verification subscriber agreements as appropriate
    • CRAs could be required to submit an annual report to the OAIC regarding the number and form of e-verification disclosures made, and the storage and destruction mechanisms in place to protect the information
    • The operation of the e-verification amendments and system could be subject to the review of the AML/CTF Act’s operation in 2013.
  3. The OAIC does not have a particular view as to the most appropriate form and location of such oversight mechanisms.

References to the Australian Information Commissioner

  1. The Explanatory Memorandum makes references to the ‘Privacy Commissioner’, specifically the Commissioner’s powers to receive and investigate complaints related to an interference with the privacy of an individual.[22]Following the commencement of the Australian Information Commissioner Act 2010 on 1 November 2010, these references should now be to the ‘Australian Information Commissioner’. The Information Commissioner formally holds the powers and functions in the Privacy Act, supported by the Privacy Commissioner and the Freedom of Information Commissioner.

Specific comments on Schedule 1 – Remittance Dealers

Spent convictions scheme

  1. The Bill will require providers of remittance networks and their affiliates, and independent remittance dealers to be registered with AUSTRAC and to reapply for registration every three years. A person seeking registration will need to provide the AUSTRAC CEO with certain information (to be specified in the AML/CTF Rules) relevant to their suitability for registration. Matters to be specified in the AML/CTF Rules relevant to a person’s suitability may include (but are not limited to) offences of which the applicant for registration, or another person, has been charged or convicted under the law of the Commonwealth, a State or Territory or a foreign country.[23]
  2. Paragraph 75D of the draft Bill states that AML/CTF rules made under subparagraphs 75B(3)(b) or 75C(2) of the Bill will not affect the operation of Part VIIC of the Crimes Act 1914 (which includes provisions that relieve individuals of the requirement to disclose spent convictions in certain circumstances, and require persons aware of such convictions to disregard them). The OAIC welcomes this approach, which helps to ensure that personal information collected is limited to what is necessary in the circumstances.

Disclosure of offences of ‘another person’

  1. Paragraph 75C(3)(a) of the Bill could provide more clarity in relation to when the AML/CTF rules might require disclosure and collection of personal information (by reporting entities and/or AUSTRAC) about offences committed by “another person”. For example, does “another person” refer to a remittance affiliate of the registered remittance network provider?[24] If so, the provision should be limited to those terms. It could also be considered whether (and when) in those circumstances it is reasonable to require the consent of (or notification to) that other person, regarding the handling of their sensitive personal information.[25] This may in part depend on the intended scope of the draft provision, and whether the other person initially provides that information themselves.
  2. Under the Privacy Act, the National Privacy Principles (NPPs) set out higher standards of protection for “sensitive information” (which includes criminal records) handled by private sector organisations such as AML reporting entities.[26] For example, NPPs 1, 10 and 2 may be relevant in relation to reporting entities’ collection and disclosure of such information about other individuals. For Australian Government agencies, the Information Privacy Principles (IPPs) do not distinguish between sensitive and other personal information (although the draft Australian Privacy Principles may in some cases require agencies to apply higher standards in future).



Footnote

[1] The draft Bill can be accessed at: www.ag.gov.au/aml.

[2] See also the Explanatory Memorandum for the draft Combating the Financing of People Smuggling and Other Measures Bill 2010 (the Bill), p 2.

[3] ALRC Report 108, available at www.austlii.edu.au/au/other/alrc/publications/reports/108/.

[4] ALRC Report 108, Recommendation 57-4

[5] ALRC Report 108, para 57.173

[6] Australian Government, First stage response to ALRC Privacy Report, 2009 www.dpmc.gov.au/privacy/reforms.cfm, response to Recommendation 57-4

[7] Explanatory Memorandum, p 5.

[8] OPC submission to DP72, Question 53-3, pp 604-607, available at: www.privacy.gov.au/materials/types/download/9111/6748. The OPC also made submissions to ALRC Issues Papers 31 (www.privacy.gov.au/materials/types/download/9110/6757) and ALRC Issues Paper 32 (www.privacy.gov.au/materials/types/submissions/view/6669).

[9] The external privacy impact assessment (PIA) is available at www.ag.gov.au/www/agd/agd.nsf/Page/Anti-money_laundering, as at 3/12/2010.

[10] Schedule 2 of the Bill, paragraph 35A

[11] Paragraph 35A(2)

[12] Paragraph 35A(2)(b)

[13] Paragraph 35A(2)(c)

[14] Paragraph 35C

[15] Paragraph 35F

[16] Paragraph 35D

[17] See paragraphs 35F(4), 35H, 35J, and 35K

[18] Paragraph 35L

[19] Schedule 2 of the Bill, clauses 35H, 35J and 35K

[20] Explanatory Memorandum, p.25

[21] One credit reporting agency’s submission to the ALRC Issues Paper 32 - Credit Reporting Provisions noted that an audit of 400 files detected minor errors in 4% of the sample files and critical errors in 1% of the sample (reference no longer available).

[22] Explanatory Memorandum, pp. 27-28

[23] Paragraph 75C(3)(a)

[24] Paragraph 75B(2) states that “A registered remittance network provider may apply in writing to the AUSTRAC CEO for another person (emphasis added) to be registered as a remittance affiliate of the registered remittance network provider”.

[25] The OAIC notes that paragraph 75C(5)(b) says the AUSTRAC CEO must, as soon as practicable after deciding to register a person, give a written notice –if the application was made by a registered remittance network provider for another person to be registered as a remittance affiliate of the provider – to that other person.

[26] “Sensitive information” is defined in s 6 of the Privacy Act. The NPPs are in Schedule 3 of the Privacy Act. See www.privacy.gov.au/law/act.