Generic program protocol - Autosearching
- Description of program
- Administration of program
The Privacy Commissioner's Guideline: The use of data matching in Commonwealth Administration-Guidelines (the Guidelines), dated February 1998, specifies that a program protocol should be prepared by agencies conducting significant data matching programs. The Australian Transaction Reports & Analysis Centre (AUSTRAC) has agreed to voluntarily comply with these guidelines, which are not legally binding.
Generally speaking, AUSTRAC acts as the 'matching agency' (1) in any data matching exercise involving the ultimate use of AUSTRAC information by another agency. Under the Guidelines, the matching agency is not responsible for preparing the data matching Program Protocol. This responsibility lies with the agency who is the 'Primary User' (2) of the matched data. However, AUSTRAC has elected to prepare a generic Program Protocol which describes the generic aspects of data matching exercises involving the matching of AUSTRAC information against other agencies' data.
The information in this Protocol is to be made publicly available.
In instances where AUSTRAC acts as the 'Primary User' on any data matching exercise, where the Privacy Commissioner's definition of Data matching is met, an additional generic program protocol has been prepared.
AUSTRAC maintains a database which contains eligle collected information inculding financial transaction information. This information is provided to AUSTRAC by cash dealers in accordance with their obligations under the Financial Transaction Reports Act 1988 (FTR Act) and the and the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (AML/CTF Act).
The types of reports submitted by cash dealers to AUSTRAC are:
- significant cash transaction reports (3);
- suspect transaction reports; and
- international funds transfer instructions.
AUSTRAC also receives and maintains reports of cross border movements of physical currency (CBM-PC's) in respect of transfers of currency into or out of Australia, where the value of the currency is equal to or greater than A$10,000 or a foreign currency equivalent.
In addition, AUSTRAC also receives and maintains reports of cross border movements of bearer negotiable instruments (CBM-BNI's) where bye a person travelling into or out of Australia can be requested to declare whether they have in their possession any bearer negotiable instruments including, but not limited to, travellers cheques, cheques, bills of exchange. These declarations are reported to AUSTRAC.
Access to AUSTRAC information is limited to agencies prescribed in sections 125 and 126 of AML/CTF Act (designated agencies).
On occasion, an authorised agency may seek to match data it holds against AUSTRAC information. This process is referred to by AUSTRAC as Autosearching.
Autosearching is a process of matching names, addresses, account numbers or identification numbers contained within AUSTRAC information against similar information held by an authorised agency. AUSTRAC Autosearching output provides a detailed summary of the information held by AUSTRAC on each of the names, addresses, account numbers or identification numbers provided by the authorised user agency.
Typically, the Autosearch will involve the following processes:
- the authorised agency provides AUSTRAC with an electronic list of names, addresses, account numbers or identification numbers;
- AUSTRAC matches this list against AUSTRAC data holdings that have the same name, address, account or identity;
- any matches found are summarised into aggregate values for each name and/or address, account number or identification number; and
- the summary of the matched data is provided to the authorised agency.
The objectives of any data matching program are generally determined by the user agency seeking to match data held by AUSTRAC.
However, generally speaking some of the objectives that an authorised agency may be seeking to achieve could include:
- identification of individuals and/or entities breaching Australian Government, State or Territory laws;
- identification of individuals and /or entities who may be failing to meet their obligations with respect to Australian Government, State or Territory taxes;
- Enabling an authorised agency to better assess areas of major risk with respect to compliance with relevant laws; and
- improved efficiencies and effectiveness through electronically matching data rather than manually searching records.
The Agencies involved in data matching programs are:
- The Matching Agency: in almost any data matching program involving AUSTRAC's database, AUSTRAC is the matching agency, wherein AUSTRAC's computer facilities are used to match the data provided by another agency. As the matching agency, AUSTRAC provides the summary data to the user Agency.
- The Primary user agency: is the agency that has requested AUSTRAC to complete the data matching exercise. Agencies entitled to request such data matching are limited to agencies authorised to access AUSTRAC information under the AML/CTF Act. The primary user agency provides AUSTRAC with the list of names, addresses, account numbers or identification numbers to be matched. In return, AUSTRAC provides the matching agency with a summary of the AUSTRAC records for each of the names, addresses, accounts or identities provided. Generally speaking, AUSTRAC will not authorise the release of the matched data to any other agency, apart from the primary user agency.
Data used in an Autosearch comes from two sources, being data provided by the primary user agency and the information from AUSTRAC's database.
Data provided by Primary User Agency
The primary user agency provides AUSTRAC with a file containing the names, addresses, account numbers or identification numbers to be matched. Files are provided in the form of an electronic spreadsheet. If there are more than 5,000 records to be matched, then the Autosearch must comply with the Guidelines. The quality and integrity of the data provided to AUSTRAC is the responsibility of the primary user agency.
Upon receipt, the relevant AUSTRAC officer will take the necessary precautions to protect the data provided by the primary user agency. AUSTRAC officers are subject to stringent security controls and the confidentiality and authorisation provisions of the AML/CTF Act. Access to AUSTRAC's premises is strictly controlled and stringent procedures are in place in relation to the storage of and access to sensitive information, either electronically or in paper form.
Information on AUSTRAC's database
Data provided by the primary user agency is matched against AUSTRAC's database. Information on the AUSTRAC database is subject to proactive scrutiny, through both manual and automated procedures, to ensure its quality and accuracy. Access to the AUSTRAC database is restricted to those authorised under the AML/CTF Act and as stipulated within Memoranda of Understanding agreed between the Director of AUSTRAC and the head of each authorised agency. The ability to amend records on the AUSTRAC database is restricted to a small number of specified AUSTRAC officers and electronic, auditable records are maintained in respect of such amendments.
Security features on the AUSTRAC database include:
- logon identification codes;
- passwords; and
- security access level groupings.
These procedures are strictly enforced to ensure the integrity and security of the information held by AUSTRAC.
The Technical Standards Report prepared by AUSTRAC for Autosearching provides a detailed explanation of the data matching process. The information contained in that report is not publically available.
Generally speaking, AUSTRAC matches the list of names, addresses, account numbers or identification numbers provided by another agency against AUSTRAC information that has the same name, address, account number or identification number.
Any matches found are then summarised into aggregate values for each name, address, account number or identification number provided. An electronic summary report is then produced and provided to the primary user agency. This report will generally include the type of matched report as well as the number and dollar value of each report type held on the identified name, address, account number or identification number.
AUSTRAC's Autosearch Technical Standards Report provides a detailed explanation of the security procedures adopted by AUSTRAC to prevent the unauthorised access, modification or loss of the matched data.
Any administrative actions undertaken as a result of an Autosearch are determined and actioned by the primary user agency.
Data provided to AUSTRAC by the primary user agency for matching is destroyed upon completion of the Autosearch if the number of records to be matched exceeds 5,000. This ensures compliance with the Guidelines.
The matched data records held by AUSTRAC are also destroyed with the completion of the Autosearch if the Autosearch constitutes a data matching exercise.
Prior to completing the matching exercise, AUSTRAC seeks and obtains an undertaking from the user agency that they will destroy the matched data provided to them that is not deemed relevant to the particular exercise within 90 days.
Responsibility for preparation of any public Notice under the Guidelines lies with the primary user agency.
As a consequence, the details of any such notice are beyond the scope of this generic protocol.
The reasons for requesting an Autosearch program are determined by the primary user agency. However, AUSTRAC in considering any request for an Autosearch will seek the following from the primary user agency:
- an undertaking that the proposed data matching exercise forms part of the agency's lawful functions and activities;
- confirmation that they will comply, where applicable, with the terms of the Privacy Act and the Guidelines; and
- confirmation that no other practicable alternatives to data matching are available.
In addition to the above, AUSTRAC ensures that the Autosearching request complies with the secrecy and access provisions of the AML/CTF Act.
- The Matching Agency is defined under the Privacy Commissioner's Guidelines as being “… the agency on whose computer facilitates the matching is conducted”.
- The Primary User Agency is defined under the Privacy Commissioner's guidelines as being: “… the agency that makes the most substantial use of the program's results. Usually the primary user agency will also be the matching agency, but there will be some programs where the matching is conducted on the computer facilities of an agency that either does not use, or uses only to a minor extent, the results of the program. Where there is more than one agency using the results of a program, user agencies should agree which is the primary user”.
- Significant cash transaction reports are also required of solicitors. These are known as 'solicitor transaction reports'.