Proposed changes to Australian Privacy Laws and their impact on AML/CTF compliance

What to know and how to respond

This article analyses a number of significant proposals from the Report which could have an impact on AML/CTF compliance. We assess how these proposals might affect businesses and suggest steps to take to comply with both the Privacy Act and the AML/CTF Act.

Proposed Reforms to the Privacy Act and intersection with the AML/CTF Act

The proposed reforms to the Privacy Act are comprehensive and aimed at providing improved protection of personal information. The three proposals that are most relevant to AML/CTF compliance are:

• Strengthened notice requirements for businesses when collecting and disclosing personal information overseas.
• Additional obligations for entities handling employee records.
• Steps to limit dealing with personal information that an entity no longer needs to retain.

Strengthened notice requirements for businesses when collecting personal information.

Currently, the Australian Privacy Principles (APP) require APP entities to notify individuals if their personal information is likely to be disclosed to an overseas recipient.

APP 8.1 requires the disclosing entity to take reasonable steps to ensure that the overseas recipient of personal information does not breach the APPs in relation to the information. However, disclosing entities do not need to comply with APP 8.1 if they obtain express consent from an individual (whose information is being disclosed) that APP 8.1 will not apply to the disclosure.

The Report proposes amending these principles in the following ways:

1. Proposal 23.4 of the Report recommends strengthening the informed consent exception to APP 8.1, by requiring entities to assess the risks of an overseas disclosure, and to inform individuals that privacy protections may not apply to their information if they consent to the disclosure.
2. Proposal 23.5 of the Report recommends reinforcing APP 5 concerning cross-border disclosures, by compelling APP entities to specify the countries where the overseas recipients are likely to be located (if feasible), and to specify the types of personal information that may be disclosed to those recipients.

These proposed changes may create tension with the existing obligations and practices of reporting entities under the AML/CTF Act. The AML/CTF Act requires companies to gather certain personal information from customers, such as name, date of birth, and address, to authenticate identity and scrutinise transactions for suspicious activity.

This information is regularly shared by reporting entities with their overseas operations. For instance, many reporting entities maintain offshore hubs to conduct customer due diligence. It is quite possible that those jurisdictions do not have the same robust privacy regime as Australia. The tension between these practices and the proposed changes will therefore need to be managed carefully by reporting entities which are covered by both regimes. 

Additional obligations for entities handling employee records

Until now, private sector employers have been exempt from the operation of the Privacy Act with respect to employee records. This exemption was put in place because the handling of employee records was originally believed to be better addressed under workplace relations legislation.

Proposal 7.1 of the Report recommends expanding privacy safeguards to private sector employees, to accomplish the following objectives:

• Enhancing transparency for employees regarding the collection and use of their personal and sensitive information.
• Ensuring that employers have sufficient flexibility to collect, use, and disclose employees' information that is reasonably necessary to manage the employment relationship, including defining the appropriate scope of individual rights and determining if consent is necessary to collect employees' sensitive information.
• Ensuring the protection of employees' personal information from misuse, loss, or unauthorised access and that it is deleted when it is no longer required.
• Notifying employees and the Office of the Australian Information Commissioner (OAIC) about any data breaches involving employees' personal information that are likely to cause significant harm.

Proposal 7.1 of the Report notes that further consultation should be undertaken with employer and employee representatives on how the employee records protections should be implemented in legislation, and developing privacy codes of practice through a tripartite process to clarify obligations regarding collection, use and disclosure of personal and sensitive information.

Companies subject to AML/CTF reporting requirements regularly conduct employee due diligence programs, which are designed to screen both current and potential employees to identify and mitigate the risk of money laundering and terrorism financing by employees. Such programs typically include:

• Verifying the employee's identity.
• Confirming employment history (e.g., through references or referee reports).
• Conducting criminal record checks.

The information garnered by these due diligence programs would stand to be captured by the safeguards outlined under Proposal 7.1 of the Report. If Proposal 7.1 is adopted and extends privacy protections to private sector employees, employers may need to review their AML/CTF due diligence procedures on employees to ensure they comply with the revised privacy obligations. This may involve conducting a risk assessment of the collection, use, and storage of employee information, including whether consent is required for collecting sensitive information, and updating policies and procedures accordingly.

Dealing with personal information that is no longer necessary

APP 11.2 provides that if an entity no longer needs to hold an individual’s personal information, the entity must take reasonable steps to destroy or de-identity the information (subject to retention requirements in other Australian laws or court order).

Proposal 21.5 of the Report suggests enhancing the current OAIC Guidelines in relation to APP 11.2, to provide detailed guidance that more clearly articulates the reasonable steps for APP entities to undertake to destroy or de-identify personal information that is no longer required to be held.

The Report noted that many entities do not take active steps to determine appropriate retention policies. Proposal 21.7 of the Report therefore recommends that APP entities establish their own maximum and minimum retention periods for the personal information they hold, considering the type, sensitivity, and purpose of the information, as well as the entity’s organisational needs and any legal obligations.

Under the AML/CTF Act, reporting entities must keep records related to their AML/CTF program and customer due diligence (CDD) procedures for at least seven years from the transaction date. This includes records of customer identification and verification (e.g., name, date of birth, and address), ongoing customer due diligence, and suspicious matter reports.

AML/CTF reporting entities are also required to have appropriate systems and processes to ensure the integrity, accuracy, and accessibility of their records, including controls to prevent alteration, destruction, or loss of records, and ensuring the ability to retrieve and provide records to regulators and law enforcement agencies upon request.

Therefore, similar to the proposals mentioned above, it will be necessary for reporting entities to examine their policies for storing and retaining personal information to ensure that they conform to the updated privacy requirements.

Why a multi-disciplinary approach is needed

The frameworks for AML/CTF and privacy regulation mutually require the reporting of data breaches and unlawful financial activities involving personal information. To ensure compliance with both the Privacy Act and the AML/CTF Act, entities will require clarity and guidance on the collection, use, and disclosure of personal information in the context of the AML/CTF Act.

The Report acknowledges the varied retention requirements already placed on organisations. To this end, the Report recommends:

• A review of all Commonwealth legislative provisions requiring retention of personal information, to determine if those provisions appropriately balance their intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information (Proposal 21.6); and
• Creation of Commonwealth, State and territory working group to harmonise privacy laws across these jurisdictions and consider the alignment with other laws that require entities to retain personal information (Proposal 29.3).

Assuming the proposals become law, businesses must take active steps to comply with both sets of legislation. AML/CTF reporting entities should familiarise themselves with the proposed changes and how they may interact with their existing obligations under the AML/CTF Act. They should also conduct a risk assessment to identify potential privacy or AML/CTF risks, including assessing the types of personal information they collect, how it is collected, and how it is stored and protected.