Publication date: 1 May 2019

Generally, all businesses with a turnover of more than $3 million need to comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 when handling personal information. However, a business with an annual turnover of less than $3 million who is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), or an authorised agent of a reporting entity, will also need to comply with the APPs in respect of their personal information handling activities in relation to the AML/CTF Act, regulations or the Anti-Money Laundering and Counter-Terrorism Financing Rules.

How much information can be collected for AML/CTF purposes?

When collecting personal information about individuals, reporting entities should limit their collection to what is necessary based on the transaction and their obligations under the AML/CTF Act. For example, in many cases the collection of personal information may be limited to minimum Know Your Customer information. Additional information should not be collected in anticipation of a future use or need.

Can personal information be collected for AML/CTF purposes from sources other than the individual concerned?

Generally, personal information should be collected directly from the individual, unless one of the exceptions in APP 3 applies. Individuals need to be provided with notice regarding the collection of their personal information.

What happens when personal information for AML/CTF purposes is used or disclosed?

Reporting entities must provide individuals with information about how their Know Your Customer information will be used and disclosed, and the purpose of collection. This information could be provided via the reporting entity’s privacy statement or privacy policy. Depending on the transaction, the reporting entity may need to get the individual’s consent to the collection, use and disclosure of their personal information.

You can find more information about privacy statements and policies in Chapter 6: APP 6 – Use or Disclosure of Personal Information.

What happens if personal information for AML/CTF purposes changes?

Reporting entities must take reasonable steps to ensure the personal information they collect is accurate, up-to-date and complete. They must also take reasonable steps to ensure the personal information they hold is accurate, up-to-date, complete and relevant, having regard to the purpose for which the information is held. Reporting entities should check the accuracy of the information when they collect it or when they are using and disclosing the information. Keeping this information as accurate as possible will support informed decision making. You can find more information about keeping accurate records in the APP Guidelines Chapter 10: APP 10 - Quality of Personal Information.

How does personal information for AML/CTF purposes need to be stored?

Reporting entities must protect the security of the information they hold. This might mean taking measures regarding physical and personal security, and also protecting computer, network and voice systems from misuse, interference and loss, and from unauthorised access, modification or disclosure. When personal information is no longer needed the reporting entity should securely destroy the information or de-identify it. You can find more information on security responsibilities in the Guide to Securing Personal Information.

Can an individual correct their Know Your Customer information?

A reporting entity should provide a means to rectify incorrect personal information and take reasonable steps to incorporate correction of personal information. You can find more information about the right to correct information in the APP Guidelines Chapter 13: APP 13 - Correction of Personal Information.

Can sensitive information be collected for AML/CTF purposes?

Some sensitive information may be collected for AML/CTF purposes, for example information about an individual’s political opinions or membership of a political association. Sensitive information is a subset of personal information and is defined in section 6(1) of the Privacy Act.

Sensitive information is generally afforded a higher level of privacy protection under the APPs than other privacy information. This higher level of protection recognises that inappropriate handling of sensitive information can have adverse consequences for an individual.

Where handling of this information is necessary, the sensitive information must be collected with the consent of the individual and stored securely to guard against improper use or disclosure.

What are my obligations in relation to providing individuals with access to information collected for AML/CTF purposes?

Under the  (Privacy Act, if a reporting entity holds personal information about an individual it must, on request, provide that individual with access to their information, except in some specified circumstances.

There are a limited number of situations where a reporting entity may deny access, for example, a reporting entity may be able to deny access to a suspicious matter report lodged with Australian Transaction Reports and Analysis Centre (AUSTRAC) under APP 12.3(h). Reporting entities are required to tell individuals why they are denying access to some or all of their personal information.

For more information about the requirement to provide access please see the Australian Privacy Principles Guidelines (APP Guidelines).