We use cookies to analyse traffic and to improve your browsing experience on our website. To find out more, read our privacy policy.

News Join our team Contact us
Privacy

Privacy guidance for organisations and government agencies

  • On this page

Published:  

How to use this template

This template privacy collection notice is for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). It aims to help reporting entities meet their APP 5 obligations under the Privacy Act 1988 (Privacy Act) when collecting personal information for customer due diligence.

The template should be adapted by reporting entities for their specific personal information handling activities. It provides one option for providing notice and entities may choose to apply an alternative notification method.

Using this template does not guarantee compliance with the Privacy Act.

Entities should refer to the Privacy Act, Chapter 5 of the OAIC’s APP Guidelines and the OAIC’s AML/CTF guidance for reporting entities. For information on your AML/CTF customer due diligence obligations, refer to AUSTRAC’s guidance and program starter kits.

What is a privacy collection notice?

When an organisation collects personal information about an individual, it must take reasonable steps to notify the individual of certain matters, or to ensure the individual is aware of those matters.

An organisation must take these reasonable steps before, or at the time, it collects their personal information. If this is not practical, reasonable steps must be taken to notify as soon as practical after collection.

The matters include:

  • the APP entity’s identity and contact details
  • the fact and circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequences if personal information is not collected
  • the entity’s usual disclosures of personal information of the kind collected by the entity
  • information about the entity’s APP Privacy Policy
  • whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

The APP 5 requirements acknowledge that it may not be reasonable for an entity to notify individuals of all of the above APP 5 matters in certain circumstances (See Chapter 5 of the OAIC’s APP Guidelines for more information). See also information below about where there is a risk of ‘tipping off’.

Chapter 5 of the OAIC’s APP Guidelines sets out detailed guidance about the matters that need to be included in a privacy collection notice, and other requirements of APP 5.

Where there is a risk of ‘tipping off’

A reporting entity under the AML/CTF Act must not disclose certain information that would or could reasonably be expected to prejudice an investigation (tipping off).

A reporting entity does not need to notify individuals about some or all of the matters under APP 5 where that notification would be inconsistent with the ‘tipping off’ offence.

If a reporting entity considers that disclosing certain information in the APP 5 collection notice would or could be reasonably expected to prejudice an investigation, they should remove, modify or limit the information in the notice to the extent necessary to avoid the inconsistency.  For example, the notice should not mention any specific information about monitoring and reporting suspicious activity or producing information or documents in response to an investigation or requests to give information or produce a document.

Where the risk of tipping off is too high, a reporting entity may need to consider removing more matters from the collection notice or providing a more high-level collection notice. It is expected that only in very limited circumstances would it not be possible for an organisation to provide an APP 5 collection notice at all due to the tipping off offence.

Tips on developing a privacy collection notice

  • Think about your audience. Don’t treat notices as legal documents to manage legal risk. The notice should aim to create trust and speak to individuals.
  • Don’t just repeat the words in the APPs. Make the privacy notice specific to the particular AML/CTF functions and activities of the reporting entity.
  • Focus on what is important to the reader. Do not try to cover everything in minute detail.
  • Timing matters. Entities should consider the timing of notices to ensure information is given in context, at the right time, in a way that is easy to read.
  • Regularly review notices. Ensure privacy notices reflect current personal information handling practices.

Template

Privacy collection notice for customer due diligence

This privacy collection notice from [insert entity name] outlines why we collect your personal information, what we collect, how we collect it and who we share it with.

Why we need to collect your information

We collect your personal information to comply with the ‘Customer Due Diligence’ requirements in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). This includes to:

[insert purposes, for example:

  • establish and verify your identity before providing certain services to you or the person you are acting on behalf of
  • assess and manage potential money laundering, terrorism financing, proliferation financing risks or related compliance risks associated with the provision of our services
  • make reports required by law under the AML/CTF Act
  • meet record keeping obligations under the AML/CTF Act.]

What personal information we collect

We collect the following types of personal information:

  • [insert types of personal information you collect for Customer Due Diligence, for example:
    • your full name, date of birth, residential address
    • photo ID and unique identifier, such as a passport or driver’s licence number]

We also collect the following sensitive information:

  • [insert types of sensitive information, for example: whether you are a member of any political associations, professional or trade associations may be used to verify your occupation or determine whether you are a politically exposed person]

How we collect your information

We will generally collect your personal information by [insert details about how, when and from where you collect personal information, for example:

  • Whether personal information is collected directly.
  • Whether the personal information will be collected by another entity. For example, if you use a third party identity verification service to collect personal information on your behalf, explain this and provide the name of the entity.
  • If you are collecting personal information from other sources such as from registers of companies, trusts, or public records (such as court records, regulatory filings, land registries), financial institutions or professional intermediaries.
  • If you collect personal information from another individual, explain this and provide the individual’s name, unless doing so would be an interference with the privacy of that individual (see para 5.11 of Chapter 5 of the OAIC’s APP guidelines for more information).

If it is not practicable to explain all the sources that you use to collect personal information, for instance, because you collect information from a wide variety of entities and have to give a separate notice in relation to each entity, you could indicate the kinds of entities from which you collect that personal information.]

Who we may share your information with

[If you usually disclose any of the personal information to other entities:

We usually disclose [insert kind of personal information] to [insert name of entity] for [insert purpose].

If it is impracticable to list the name of every entity, describe the type of entity that information is disclosed to, for example ‘credit reporting bodies’, ‘third-parties to assist with AML/CTF obligations including identity verification and storage’.

If any of the entities you disclose information to are located overseas, explain this, and specify the relevant countries. (see para 5.29 of Chapter 5 of the OAIC’s APP guidelines for more information).]

We may also share your personal information with AUSTRAC or an entity in our AML/CTF reporting group [insert name of entities in your AML/CTF reporting group, or if impractical to list the name of every entity, describe the type of entities] to meet our legal and regulatory obligations under the AML/CTF Act or the AML/CTF Rules.

What happens if we cannot collect your information

If you do not provide us with your personal information, we may not be able to verify your identity and provide you (or the person you are acting on behalf of) with the services you have requested. [If the individual can receive the service by providing some but not other personal information, explain this.]

Your privacy rights and our privacy policy

Our Privacy Policy contains further information about how we will handle your personal information and how you can access and correct your personal information. It also outlines how to lodge a complaint and how that complaint will be managed if you are concerned about how we handled your information. [Insert link to Privacy Policy and/or explain how it may be physically accessed, for example upon request in the entity’s offices.]

How to contact us about your privacy

[Insert contact details. This could include the position title, telephone number and email address of a contact who handles privacy enquiries and requests, and/or a generic telephone number and email address, or link to an online contact form. It could also include an address for physical mail.]

Related content

Privacy guidance for reporting entities under the Anti-Money Laundering and Counter-Terrorism Financing Act
OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia