- About this policy
- Collection of personal information
- Disclosure of information
- Security of information
- Accessing personal information and privacy complaints
The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s financial intelligence unit and anti-money laundering and counter terrorism-financing regulator.
AUSTRAC administers the Anti-Money Laundering and Counter Terrorism-Financing Act 2006 (AML/CTF Act) and the Financial Transaction Reports Act 1988 (FTR Act). AUSTRAC collects, holds, uses and discloses information as required or authorised under these Acts for the purposes of detecting, deterring and disrupting money-laundering and terrorism-financing risks and threats that affect Australia’s financial systems, and for the purpose of the performance of the AUSTRAC CEO’s functions specified in section 212 of the AML/CTF Act.
The AUSTRAC CEO’s functions include, but are not limited to:
- providing access to, and sharing, AUSTRAC information to support domestic and international efforts to combat money laundering, terrorism-financing and other serious crimes;
- providing advice and assistance in relation to AUSTRAC information to persons and agencies who are entitled or authorised to access AUSTRAC information;
- advising and assisting reporting entities in relation to their obligations under the AML/CTF Act, the regulations and the AML/CTF Rules;
- promoting and monitoring compliance with the AML/CTF Act, the regulations and the AML/CTF Rules.
In performing the AUSTRAC CEO’s functions under the AML/CTF Act, the AUSTRAC CEO is required to have regard to privacy. Further, the AUSTRAC CEO is required to consult with the Information Commissioner in relation to matters that relate to privacy functions, and to take into account any comments the Information Commissioner makes in the course of those consultations.
In this regard, the AUSTRAC CEO is assisted and advised by AUSTRAC’s Privacy Consultative Committee (PCC). The PCC is chaired by AUSTRAC’s General Counsel and, in addition to representative from the Office of the Australian Information Commissioner, comprises of members from other government agencies and civil liberty organisations.
AUSTRAC also collects information under other legislation such as the Freedom of Information Act 1982 (FOI Act), the Public Governance, Performance and Accountability Act 2013 (PGPA Act) and the Public Service Act 1999. The collection of information under other legislation is necessary to enable the AUSTRAC CEO to effectively exercise their statutory powers or perform their functions.
Examples of this include:
- responding to access to information requests from members of the public;
- recruiting staff or engaging contractors;
- procuring goods and services from suppliers;
- managing AUSTRAC workforce planning.
At all times AUSTRAC will only collect personal information it needs for the functions it is performing or activities it is carrying out, whether under the AML/CTF Act or another legislation.
The collection of personal information by AUSTRAC can be either direct or indirect. Examples of how we may collect information directly from you include:
- when you access and use our website and web-based channels;
- when you call our contact centre to speak with one of our staff, or when you write to us about a query you have;
- when you complete an application, for example when you apply to become enrolled with AUSTRAC as a reporting entity, or when you request access to information under the FOI Act;
- when you apply for a job with AUSTRAC.
A large proportion of personal information AUSTRAC collects is collected indirectly. The main way that AUSTRAC collects personal information is from reporting entities. Reporting entities are entities that provide designated services and who have reporting obligations under the AML/CTF Act. The matters that reporting entities are required to report to AUSTRAC are suspicious matters, threshold transactions, and international fund transfer instructions. When these matters are reported to AUSTRAC, the personal information (of the individual/s subject of the report) that is provided to AUSTRAC may include name, date of birth, residential address, telephone or mobile numbers, bank account details, etc.
AUSTRAC may also collect personal information indirectly when:
- the information is lawfully shared with us by other Commonwealth, State or Territory government agencies or authorities, including law enforcement agencies;
- the information is given to AUSTRAC by our service providers or suppliers as a necessary or incidental part of the performance of their contract;
- the information is given to AUSTRAC without being solicited, for example dob-in information;
- the information is obtained from publicly available sources.
Where the personal information collected is ‘AUSTRAC information’, the use and disclosure of that personal information will be subject to various controls and restrictions under the AML/CTF Act. This is discussed in more detail in ‘Disclosure of information’.
The availability of controls and restrictions on use and disclosure of AUSTRAC information under the AML/CTF Act does not prevent controls and restrictions under other relevant legislation from being applicable. For example, the Privacy Act may apply to complement the controls and restrictions under the AML/CTF Act.
3.1. Collecting sensitive information
Sensitive information is a subset of personal information and is defined in section 6 of the Privacy Act as “information or an opinion about an individual’s racial or ethnic origin, political opinion, membership of a political association, health, criminal record, etc.”
AUSTRAC does not actively collect sensitive information about an individual except in limited circumstances:
- Collection from an individual applying to be registered as a remittance service provider or a digital currency exchange (DCE) provider. Under the AML/CTF Rules, an individual applying to be registered as a remittance service provider or a DCE provider is required to disclose any prior convictions and provide a National Police Certificate to enable the AUSTRAC CEO to determine whether registration of the individual is appropriate.
- Collection from a person applying for a job with AUSTRAC in order to assess their suitability for employment pursuant to personnel, security and related purposes.
- When we receive information about persons of interest, which may include their criminal records, from our partner agencies in the course of collaborating on a criminal investigation.
Except in situations otherwise required by legislation, AUSTRAC will allow you to interact with us anonymously or to use a pseudonym if you wish. For example, if you contact AUSTRAC’s contact centre to make a general inquiry and you do not wish to provide your name, we will not insist on asking for your name or other personal information if you indicate you do not wish to provide it.
However, for the most part AUSTRAC will usually need your name and contact details, as well as sufficient information about the particular matter to enable us to effectively and efficiently deal with your inquiry, request or complaint, so withholding your personal information may mean that we are not able to carry out our functions effectively and provide the services you require.
Where personal information is collected by AUSTRAC for employment and HR related purposes, e.g. recruitment, anonymity cannot be accommodated as AUSTRAC needs to know information about the individuals it is recruiting (whether on a permanent basis or not) for purposes including but not limited to employment suitability checks, security clearance vetting, and ongoing employee management.
3.3 Collection by Fintel Alliance
Fintel Alliance is a public/private partnership established and led by AUSTRAC to facilitate the timely and effective sharing of information amongst trusted public and private sector partners to combat money laundering, terrorism financing and other serious crimes. In addition to AUSTRAC, participants of Fintel Alliance include a number of public agencies as well as private entities such as :
- Attorney General’s Department
- Australia and New Zealand Banking Group Limited
- Australian Competition and Consumer Commission
- Australian Criminal Intelligence Commission
- Australian Federal Police
- Australian Financial Crimes Exchange Ltd
- Australian Taxation Office
- Commonwealth Bank of Australia
- Department of Home Affairs
- HSBC Bank Australia Limited
- Macquarie Bank Limited
- National Australia Bank Limited
- National Crime Agency (UK)
- New South Wales Crime Commission
- New South Wales Police Force
- PayPal Australia Pty Limited
- Westpac Banking Corporation
- Western Union Financial Services (Australia) Pty Ltd
As Fintel Alliance is a conglomerate of international and domestic public and private sector partners, it does not usually ‘collect’ information at its own initiative. Rather, information, including personal information, is collected by individual participants in the course of performing their daily functions and activities in accordance with their own governing legislation (for public partners) or business operation (for private partners). Information is then shared within Fintel Alliance in accordance with the information-sharing arrangement articulated in the Fintel Alliance Member Protocol and relevant schedule to the Member Protocol, which is agreed to by all Fintel Alliance participants.
The Fintel Alliance Member Protocol requires all participants of Fintel Alliance to comply with their privacy obligations under the applicable privacy legislation of the jurisdiction to which they are subject (for example, the NSW Police Force would be bound by the NSW privacy legislation instead of the Privacy Act), and with any common law obligations of confidentiality. Public sector Fintel Alliance members are also required to adhere to the secrecy provisions of any relevant legislation that govern their functions and activities, and only disclose and share information (which may include personal information) in accordance with any restrictions imposed by their governing legislation.
See ‘Disclosure of information’ for more details on how information is shared and used within Fintel Alliance.
3.4 Collection through our website
When you visit AUSTRAC’s website, a record of your visit is logged and information is automatically recorded for statistical purposes to enable us to improve the site and our services. This information does not identify you individually and AUSTRAC does not otherwise track information about you and your visits.
Your web browser supplies information that includes:
- the IP address of your device;
- the type of web browser used;
- your device’s operating system;
- the date and time you accessed our website:
- the pages you visited and any documents downloaded;
- if you followed a link to our website from another website – the address of that website
In addition, we make use of third-party sites such as YouTube and others to deliver content. Such third-party sites may send their own cookies to your computer. We do not control the setting of third-party cookies and suggest you check the third-party websites for more information about their cookies and how to manage them.
3.6 Google analytics
Our website uses Google Analytics which transmits website traffic data to servers offshore. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use this data to help us make the website better by understanding how our website is used.
3.7 Social networking services
AUSTRAC uses social networking services such as Twitter, Linked-in and YouTube to communicate with the public about our work. When you communicate with us using these services we may collect your information, but we only use it to communicate with you. The social networking service provider will also collect and handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies of these service providers on their websites.
Information, including personal information, which AUSTRAC has lawfully collected under the AML/CTF Act (from reporting entities for example) or any other law of the Commonwealth, State or Territory, or which AUSTRAC has obtained from another government body, is AUSTRAC information. The AML/CTF Act contains provisions that strictly regulate the use and disclosure of AUSTRAC information which is complemented by controls and restrictions available under other legislation (such as the Privacy Act).
Further, the AML/CTF Act expressly provides that in performing the AUSTRAC CEO’s functions, the AUSTRAC CEO must have regard to privacy and must consult with the Information Commissioner in relation to matters that relate to privacy functions, and to take into account any comments made in the course of those consultations.
Therefore, the use and disclosure of AUSTRAC information by us, including where personal information is involved, is carefully managed pursuant to the AML/CTF Act and other relevant legislation like the Privacy Act, and in consultation with the Office of the Australian Information Commissioner (OAIC), to ensure that the use and disclosure is consistent with both the restrictions in the AML/CTF Act and also the Australian Privacy Principles (APPs).
Generally, disclosure of AUSTRAC information is prohibited unless:
- the disclosure is for the purposes of the AML/CTF Act or the FTR Act;
- the disclosure is for the purposes of the performance of the AUSTRAC CEO’s functions;
- the disclosure is in connection with giving access to certain government agencies which, by law, are entitled or authorised to access AUSTRAC information.
Therefore, the typical circumstances in which AUSTRAC information containing personal information may be disclosed, including disclosure outside of AUSTRAC, are as follows:
- disclosure to other government agencies;
- disclosure overseas to government agencies of a foreign country;
- disclosure to courts or tribunals;
- disclosure to reporting entities;
- disclosure within Fintel Alliance.
4.1 Disclosure to other government agencies
The Australian Taxation Office and certain partner agencies, known as designated agencies, are authorised to access AUSTRAC information under the AML/CTF Act. Therefore, where AUSTRAC has disclosed AUSTRAC information including personal information under such an access arrangement, the disclosure is lawful.
An official of a designated agency who has accessed AUSTRAC information is prohibited from further disclosing the information, unless the disclosure is for the purpose of, or in connection with, the official’s duties.
AUSTRAC can also, at its discretion, disclose AUSTRAC information to other government agencies that are not designated agencies, provided the disclosure is for the purposes of the AML/CTF Act or the FTR Act, or the disclosure is for the purposes of the performance of the functions of the AUSTRAC CEO.
4.2 Disclosure to foreign government agencies
AUSTRAC may also disclose AUSTRAC information containing personal information to the government agencies of a foreign country (for example, to AUSTRAC’s overseas counterpart) from time to time if the disclosure is appropriate in all the circumstances.
Before we disclose information to a foreign government agency for the first time, we will sign a Memorandum of Understanding (MoU) with the foreign government agency. The MoU will clearly articulate the terms and conditions relating to the confident treatment of the information, the controls that will be applied to the use of the information, and include an undertaking that the information will be used only for certain purposes specified in the MOU.
4.3 Disclosure to courts or tribunals
Occasionally, court or tribunal proceedings may arise that demand the disclosure of AUSTRAC information containing personal information.
The AML/CTF Act provides that except where it is necessary to do so for the purpose of giving effect to the AML/CTF Act or the FTR Act, we are not to be required to produce to a court or tribunal documents containing AUSTRAC information, or to disclose AUSTRAC information.
This ensures that we are able to determine, on a case by case basis, whether disclosure of AUSTRAC information containing personal information is necessary and in the public interest because the court or tribunal proceedings relate to a matter of anti-money laundering or counter terrorism-financing concern, or whether the information should be withheld having regard to all the circumstances.
4.4 Disclosure to reporting entities
AUSTRAC may disclose personal information to reporting entities in order to obtain further information that we reasonably believe the reporting entity may have about the person to whom the personal information relates, as permitted under the AML/CTF Act.
For example, if we suspect that a customer of a bank is involved in money-laundering activities, we may disclose the personal information of that customer to the bank for the purposes of enabling the bank to identify the customer in question and to provide us with the information requested.
4.5 Disclosure of information within Fintel Alliance
Although Fintel Alliance consists of AUSTRAC representatives as well as public and private participants from both partner agencies and industry, there is no confusion over privacy obligations and all disclosure of personal information within and by Fintel Alliance is governed by the relevant, applicable legislation. The requirement to comply with privacy obligations is also expressly articulated in the Fintel Alliance Member Protocol that all participants have agreed to.
Private Fintel Alliance participants that are reporting entities disclose personal information to AUSTRAC in pursuance of their reporting obligations under the AML/CTF Act. They may also disclose personal information to AUSTRAC in response to compulsory notices for production of information issued under the AML/CTF Act.
Outside of their reporting obligations and requirement to respond to compulsory notices, private Fintel Alliance participants may also voluntarily disclose personal information to AUSTRAC and other public Fintel Alliance participants that are ‘enforcement bodies’ for the purposes of the Privacy Act, if the private Fintel Alliance participant reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, AUSTRAC and/or other public Fintel Alliance participants.
Disclosure and sharing of personal information by public Fintel Alliance participants is undertaken in accordance with the respective legislation governing the public Fintel Alliance participant. Therefore, just as AUSTRAC will only disclose personal information constituting AUSTRAC information within Fintel Alliance in accordance with and subject to the restrictions in the AML/CTF Act, other public Fintel Alliance participants will only disclose personal information in their possession in accordance with their governing legislation.
When AUSTRAC receives your personal information, whether directly from you or indirectly from other sources, the information is stored in a secure environment. In addition to information classification and dissemination limitation markers, all information kept on our electronic databases is protected by security measures such as password protection or access restriction to only authorised personnel. Your personal information will not be used or disclosed unless you have consented to that use or disclosure, or the AML/CTF Act or another law permits it.
AUSTRAC takes reasonable steps to ensure your personal information is protected from misuse, loss and unauthorised access, modification or disclosure. We may hold your information in either electronic or hard copy form. Personal information that is no longer needed is destroyed in accordance with the requirements of the Archives Act 1983.
As our website is linked to the internet, there are inherent risks associated with the transmission of information via the internet. Although AUSTRAC has implemented security measures, it is not possible to provide absolute guarantees as to the security of data you communicate and provide to us via an online transmission. Any personal information or other information which you send to us is transmitted at your own risk.
If you have concerns in this regard, AUSTRAC has alternative methods of obtaining and providing information. Normal mail, telephone and fax facilities are available.
6.1 Accessing and correcting personal information
You are entitled to request access to your own personal information, including for the purpose of correcting your personal information, unless the provisions of the Freedom of Information Act 1982 or another law of the Commonwealth that provides for access by persons to documents require or permit us to refuse to give access.
Requests for access to your own personal information are free.
Request for your own personal information may be made to AUSTRAC’s Privacy and Information Access Team (PIAT) by:
Privacy and Information Access Team
c/ Attorney General's Department
BARTON ACT 2600
We will respond to request to access (and where relevant, correct) your own personal information within 30 days of receiving the request. If we are required or permitted to refuse access, we will give you a written notice setting out:
- the reasons for refusing access (unless it would be reasonable to do so having regard to the circumstances); and
- the mechanisms available to you to complain about the refusal.
6.2 Making a complaint
If you wish to make a complaint about how AUSTRAC has handled your personal information, please do so in writing. If you need help lodging a complaint, you can contact the PIAT on 02 6120 2631.
Complaints can be made to AUSTRAC via the PIAT by:
Privacy and Information Access Team
c/ Attorney General's Department
BARTON ACT 2600
If we receive a complaint from you, we will acknowledge your complaint within 3 business days of receiving the complaint.
We will consider your complaint and decide what action (if any) we need to take to resolve the complaint. This may include, for example, referring your complaint to AUSTRAC’s Privacy Officer for investigation about the AUSTRAC staff member whose actions you are complaining about, or reviewing the security of our data bases, as the case requires.
We will respond to your complaint within 30 days (or another timeframe agreed with you) of receiving your complaint and explain the actions we have taken or propose to take to address the issues raised in your complaint. If you are not satisfied with AUSTRAC’s response to your complaint, you may ask for a review by a senior officer within AUSTRAC. You may also lodge a complaint to the Office of the Australian Information Commissioner by email to firstname.lastname@example.org or by post to GPO Box 5218, Sydney NSW 2001.