1. About this policy

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is Australia’s anti-money laundering and counter terrorism-financing (AML/CTF) regulator and financial intelligence unit (FIU).  As the AML/CTF regulator and FIU, AUSTRAC’s objectives are to detect, deter and disrupt the threats and risks of money laundering, terrorism financing (ML/TF) and serious crimes.  To achieve these objectives, AUSTRAC regulates reporting entities to deliver best practice AML/CTF outcomes and share actionable financial intelligence to support domestic and international efforts to combat such threats and risks.

The Privacy Act 1988 (Privacy Act) requires agencies and entities bound by the Australian Privacy Principles (APPs) to have a privacy policy concerning the handling and management of personal information.  AUSTRAC is an agency bound by the APPs.  Therefore, this privacy policy outlines AUSTRAC’s practices for the collection, storage, use and disclosure of personal information to carry out its functions under the Anti-Money Laundering and Counter Terrorism-Financing Act 2006 (AML/CTF Act), the Financial Transaction Reports Act 1988 (FTR Act), and any other legislation that confers powers or functions on the AUSTRAC CEO such as the Privacy Act itself, the Freedom of Information Act 1982 (FOI Act) and the Public Service Act 1999.   

This privacy policy covers all aspects of AUSTRAC’s functions including the Fintel Alliance, a public/private AML/CTF partnership established and led by AUSTRAC to facilitate the sharing of information and financial intelligence amongst trusted public and private sector partners to combat money laundering, terrorism financing and other serious crimes.

In addition to outlining, in simple and plain English, AUSTRAC’s practices for the handling and management of personal information (including, where relevant, any sensitive information – which is defined in the Privacy Act and refers to specific kinds of personal information such as criminal records or health information), this privacy policy also provides information on how you can access and correct your personal information held by AUSTRAC, and how you can contact AUSTRAC to make a complaint if you believe your personal information has not been appropriately dealt with.  

2. Collection of personal information

At all times AUSTRAC will only collect personal information it needs to perform its functions, whether under the AML/CTF Act or any other legislation. 

AUSTRAC’s functions under the AML/CTF Act include:

• to provide access to, and share, AUSTRAC information to support domestic and international efforts to combat ML/TF and other serious crimes;
• to provide advice and assistance in relation to AUSTRAC information to persons and agencies who are entitled or authorised to access AUSTRAC information;
• to advise and assist reporting entities in relation to their obligations under the AML/CTF Act, the regulations and the AML/CTF Rules;
• to facilitate gaining access on a timely basis to the financial, administrative and law enforcement information that the AUSTRAC CEO requires to properly undertake the AUSTRAC CEO's financial intelligence functions.

AUSTRAC information is defined in section 5 of the AML/CTF Act.  In very general terms, it refers to information – whether or not it is also personal information – which AUSTRAC has lawfully obtained under a legislation or from another government body, as well as information that AUSTRAC has generated, e.g. a compilation or analysis of the information AUSTRAC obtained.

Functions under other legislation for which AUSTRAC collects personal information include, for example, responding to requests for information under the FOI Act, or procuring services from contractors and service providers under the Public Governance, Performance and Accountability Act 2013. 

AUSTRAC collects this personal information directly and indirectly to fulfil these functions.  Examples of how we may collect information directly from you include: 

• when you access and use our website and web-based channels;
• when you call our contact centre to speak with one of our staff, or when you write to us about a query you have;
• when you complete an application, for example when you apply to be enrolled with AUSTRAC as a reporting entity, or when you request access to information under the FOI Act;
• when you apply for a job with AUSTRAC;
• when you submit a report to AUSTRAC about the cross-border movement of physical currency or bearer negotiable instruments into or out of Australia.

A large proportion of personal information AUSTRAC collects is collected indirectly.  One of the many ways in which personal information is collected indirectly is from reporting entities.  Reporting entities are entities that provide designated services, i.e. services that are listed in s 6 of the AML/CTF Act and which include things such as loans, cash deposits, issue or sale of security or derivative, remittance, gambling services, etc.

Reporting entities are subject to AUSTRAC’s regulatory supervision and have various obligations under the AML/CTF Act, including a requirement to report financial transactions (threshold transactions and international fund transfer instructions) and suspicious activities.  From November 2022, ISO20022 will be implemented by SWIFT as the global end-to-end messaging system for international fund transfers conducted between financial institutions. As ISO20022 will include greater amount of data aimed at increasing the transparency and security of international fund transfers, this will result in the collection of greater amount of personal information by AUSTRAC via reports of international fund transfer instructions submitted by reporting entities. 

When financial transactions or suspicious activities relating to individual customers are reported to AUSTRAC, the personal information of those customers is submitted to AUSTRAC and may include name, date of birth, residential address, telephone or mobile numbers, bank account details, and other details the reporting entity determines relevant to the financial transactions or suspicious activities of the customer. Reporting entities may also be required, under compulsory notice, to provide personal information to AUSTRAC in the course of AUSTRAC’s supervision of the reporting entities’ compliance with other AML/CTF obligations or during enforcement investigations of breaches of the AML/CTF Act.

AUSTRAC may also collect personal information indirectly when: 

• the information is lawfully obtained from other Commonwealth, State or Territory government agencies or authorities, including law enforcement agencies, or government of a foreign country or a foreign agency.  For example, AUSTRAC may obtain personal information from another agency for the purpose of conducting a data-matching exercise to support and enhance the performance of our AML/CTF regulatory functions and financial intelligence functions, or we may obtain information from an international counterpart in relation to persons of interest suspected of engaging in money laundering or other illicit financial activities;
• our service providers or suppliers provide information to AUSTRAC as a necessary or incidental part of the performance of their contract;
• the information is given to AUSTRAC without being solicited, for example dob-in information from members of the public about suspected financial crime;
• the information is obtained or originates from public sources such as news and media websites, other open sources such as social networking platforms, or other publicly accessible sources operated by third party vendors (with or without payment/subscription).

Personal information lawfully collected by AUSTRAC becomes AUSTRAC information.  This means that, in addition to the various requirements of the APPs, the use and disclosure of such personal information (as AUSTRAC information) is also subject to the controls and restrictions provided for by the secrecy and access provisions in the AML/CTF Act.  This is discussed in more detail in ‘Disclosure of information’.  

Where personal information has been lawfully obtained pursuant to a contract (and becomes AUSTRAC information), the disclosure of the personal information may also be subject to any relevant terms and conditions stipulated in the contract.

2.1 Collecting sensitive information

The circumstances in which AUSTRAC may collect sensitive information include, but are not limited to:

• Where an entity applies to be registered as a remittance service provider or a digital currency exchange (DCE) provider, AUSTRAC collects information about any criminal record/prior convictions of the entity’s key personnel to determine whether registration of the entity as a remittance service provider or DCE provider is appropriate. Such collection could be from the entity directly, or could be from AUSTRAC’s partner agencies.
• For security purposes, AUSTRAC collects sensitive information from individuals applying for jobs with AUSTRAC, or providing services to AUSTRAC under contract, in order to assess their suitability for employment or as a contracted service provider.  Where required, AUSTRAC may also collect sensitive information from its staff members during the course of their employment.
• When we receive information from other government agencies in the course of collaborating on a law enforcement investigation.

2.2. Anonymity

Except where circumstances or legislation require it, AUSTRAC will allow you to interact with us anonymously or to use a pseudonym if you wish.  For example, if you contact AUSTRAC’s contact centre to make a general inquiry and you do not wish to provide your name, we will not insist on asking for your name or other personal information if you indicate you do not wish to provide these details.

However, for the most part AUSTRAC will usually need your personal information such as your name and contact details and any other relevant information to enable us to effectively and efficiently respond to the matter that you may be inquiring about, so withholding your personal information may mean that we are not able to carry out our functions and provide the services you require.  For example, if you seek access to your own personal information held by AUSTRAC but do not provide your name, date of birth and other personal information reasonably necessary for us to identify information relating to you in our data holdings, then we would not be able to assist you with your access request.

2.3 Collection by Fintel Alliance

Fintel Alliance is an AUSTRAC established and led public/private partnership to facilitate the timely and effective sharing of information amongst trusted public and private sector partners to combat and disrupt money laundering, terrorism financing and other serious crimes. Government agencies and private entities participating in 

Fintel Alliance include the Attorney General’s Department, the Australian Criminal Intelligence Commission, the Australian Federal Police, some of the major banks, and various State police forces.  

As Fintel Alliance is a conglomerate of international and domestic public and private sector partners, it does not usually ‘collect’ information at its own initiative.  Rather, information, including personal information, is collected by individual participants in the course of performing their daily functions and activities in accordance with their own governing legislation (for public partners) or business operation (for private partners).  Information is then shared within Fintel Alliance in accordance with the information-sharing arrangement outlined in the Fintel Alliance Member Protocol and relevant schedule to the Member Protocol, which is agreed to by all Fintel Alliance participants. 

The Fintel Alliance Member Protocol requires all participants of Fintel Alliance to comply with their privacy obligations under the applicable privacy legislation of the jurisdiction to which they are subject (for example, the NSW Police Force would be bound by the NSW privacy legislation instead of the Privacy Act), and with any common law obligations of confidentiality.  Public sector Fintel Alliance participants are also required to adhere to the secrecy provisions of any relevant legislation that govern their functions and activities, and only disclose and share information (which may include personal information) in accordance with any restrictions imposed by their relevant governing legislation.

See ‘Disclosure of information’ for more details on how information is shared and used within Fintel Alliance.

2.4 Collection through our website

When you visit AUSTRAC’s website www.austrac.gov.au, a record of your visit is logged and information is automatically recorded for statistical purposes to enable us to improve the site and our services.  This information does not identify you individually and AUSTRAC does not otherwise track information about you and your visits. 

Your web browser supplies information that includes:

• the IP address of your device;
• the type of web browser used;
• your device’s operating system;
• the date and time you accessed our website:
• the pages you visited and any documents downloaded; and
• if you followed a link to our website from another website – the address of that website.

2.5 Cookies

Our website uses cookies to better serve you when you return to the website. A cookie is a piece of data that a site can send to your browser, which may then be stored on your computer as an anonymous tag that identifies your computer but not you.

In addition, we make use of third-party sites such as YouTube and others to deliver content. Such third-party sites may send their own cookies to your computer. We do not control the setting of third-party cookies and suggest you check the third-party websites for more information about their cookies and how to manage them.

Most internet browsers are pre-set to accept cookies. If you prefer not to receive cookies, you can adjust your internet browser to refuse cookies or to warn you when cookies are being used.

2.6 Google analytics

Our website uses Google Analytics which transmits website traffic data to servers offshore. Google Analytics does not identify individual users or associate your IP address with any other data held by Google.  We use this data to help us make the website better by understanding how our website is used.

2.7 Social networking services

AUSTRAC uses social networking services such as Twitter, Linked-in and YouTube to communicate with the public about our work.  When you directly engage with us using these services we may collect your information, but we only use it to communicate with you.  The social networking service provider will also collect and handle your personal information for its own purposes.  These services have their own privacy policies.  You can access the privacy policies of these service providers on their websites.  

We also collect personal information from open sources such as social networking platforms or websites (among other sources) to strengthen our analysis of financial intelligence information and enhance the synthesis and development of intelligence products, which are shared with other government agencies or entities in accordance with our functions to support domestic and international efforts to combat the threats of money laundering, terrorism financing and other serious crimes.

3. Disclosure of information

Information, including personal information, which AUSTRAC has lawfully collected under the AML/CTF Act or any other law of the Commonwealth, State or Territory, or which AUSTRAC has obtained from another government body, is AUSTRAC information.  The AML/CTF Act, together with other applicable legislation such as the Privacy Act, governs the use and disclosure of AUSTRAC information.     

Disclosure of AUSTRAC information is prohibited unless a relevant exception applies.  These include disclosure for the purposes of the AML/CTF Act or the FTR Act; disclosure for the purposes of the performance of the AUSTRAC CEO’s functions; or disclosure to an official of a Commonwealth, State or Territory agency for the purpose of the performance or exercise of the official’s functions, duties or powers in relation to the agency.  Put simply, disclosure of AUSTRAC information, such as financial transaction reports, suspicious matter reports, or financial intelligence products, will fall within one of the aforementioned exceptions if the disclosure relates to or supports our and other agencies’ law enforcement, regulatory or intelligence efforts to detect, deter and disrupt money laundering, terrorism financing and other serious crimes.

Examples of circumstances in which we may disclose AUSTRAC information containing personal information outside of AUSTRAC include:

• disclosure to other government agencies to support an investigation of a crime or other breaches of the law;
• disclosure to a foreign government or a foreign agency to combat money laundering, terrorism financing or other serious crimes;
• disclosure to courts or tribunals in proceedings where AUSTRAC information may be relevant;
• disclosure to reporting entities to enable compliance with the AML/CTF Act;
• disclosure within Fintel Alliance.

3.1 Disclosure to other government agencies

Under the AML/CTF Act, the AUSTRAC CEO may authorise officials from specific Commonwealth, State or Territory agencies to access AUSTRAC information.  We may also, at our discretion, voluntarily disclose AUSTRAC information to an official of another Commonwealth, State or Territory agency pursuant to one of the aforementioned exceptions.  

An authorised official of a Commonwealth, State or Territory agency who has obtained AUSTRAC information is prohibited from further disclosing the information, unless the disclosure is for the purpose of the performance of the official’s duties, or the disclosure is to another official of a Commonwealth, State or Territory agency for the purpose of the performance of the other official’s duties.

3.2 Disclosure to foreign government agencies

AUSTRAC may also disclose AUSTRAC information containing personal information to the government of a foreign country or a foreign agency (for example, to AUSTRAC’s overseas counterpart) from time to time if the disclosure is appropriate in all the circumstances. 

Before we disclose information to a foreign government or a foreign agency, we will generally negotiate and sign an information-sharing Memorandum of Understanding (MOU) with the foreign government or foreign agency where we anticipate we will engage in frequent sharing of information with that foreign government or foreign agency.  The MOU will clearly articulate the terms and conditions relating to the confidential treatment of the information, the controls that will be applied to the use of the information, and include an undertaking that the information will be used only for certain purposes specified in the MOU.  

In situations where information is being shared on an ad hoc basis such that the negotiation of a MOU may not be necessary or warranted, before we share the information we will still seek an undertaking from the relevant foreign government or foreign agency (usually in the form of a letter of agreement) to assure ourselves that the foreign government or foreign agency will only use the information for the purpose for which it is shared and that they will handle and protect the information appropriately.

In circumstances where there is an urgent need to share AUSTRAC information because of a critical incident or for public safety and we do not have an MOU with the relevant foreign government or foreign agency, and there is no time to sign a letter of agreement (e.g. a terrorist attack), the AUSTRAC CEO may disclose AUSTRAC information without seeking an undertaking, but the disclosure of AUSTRAC information must still be appropriate in all of the circumstances.

3.3 Disclosure to courts or tribunals

Occasionally, court or tribunal proceedings may arise that demand the disclosure of AUSTRAC information containing personal information. 

The AML/CTF Act provides that except where it is necessary to do so for the purpose of giving effect to the AML/CTF Act or the FTR Act, we are not to be required to produce to a court or tribunal documents containing AUSTRAC information, or to disclose AUSTRAC information (the same applies to any other person who has obtained AUSTRAC information).

This ensures that we can determine, on a case by case basis, whether disclosure of AUSTRAC information containing personal information is necessary or appropriate, or whether the information should be withheld having regard to all the circumstances.

3.4 Disclosure to reporting entities

AUSTRAC may disclose personal information to reporting entities in order to obtain further information that we reasonably believe the reporting entity may have about the individual to whom the personal information relates, as permitted under the AML/CTF Act. 

For example, if following review of some financial transaction reports we suspect that a customer of a bank may be involved in money laundering or other criminal activities, we may disclose the personal information of that customer to the bank for the purposes of enabling the bank to identify the customer in question and providing us with further information that will assist our or other law enforcement agencies’ investigations into that customer.

3.5 Disclosure of information within Fintel Alliance

Under the Fintel Alliance Member Protocol which all public and private participants of Fintel Alliance have agreed to, participants disclose and share personal information with each other in accordance with the respective legislation that applies to them.

Just as AUSTRAC will only disclose personal information constituting AUSTRAC information within Fintel Alliance in accordance with and subject to the restrictions in the AML/CTF Act, other public Fintel Alliance participants will only disclose personal information in their possession in accordance with their governing legislation (and the relevant privacy legislation that applies to them). 

Private Fintel Alliance participants that are reporting entities disclose personal information to AUSTRAC pursuant to their reporting obligations under the AML/CTF Act.  They may also disclose personal information to AUSTRAC in response to compulsory notices for production of information issued under the AML/CTF Act. 

Outside of their reporting obligations and requirement to respond to compulsory notices, private Fintel Alliance participants may also voluntarily disclose personal information to AUSTRAC and other public Fintel Alliance participants that are “enforcement bodies” for the purposes of the Privacy Act, if the private Fintel Alliance participant reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, AUSTRAC and/or other public Fintel Alliance participants. 

Disclosure of personal information by private Fintel Alliance participants which are not reporting entities is subject to the relevant privacy legislation that applies to them.  

4. Security of information

When AUSTRAC receives your personal information, whether directly from you or indirectly from other sources, the information is stored in a secure environment.  In addition to information classification and dissemination limitation markers, all information kept on our electronic databases is protected by security measures such as password protection or access restriction to only authorised personnel. 

AUSTRAC will not use or disclose your personal information unless you have consented to that use or disclosure, or the use or disclosure is otherwise required or authorised by the AML/CTF Act or other relevant legislation.   

AUSTRAC takes reasonable steps to ensure your personal information is protected from misuse, loss and unauthorised access, modification or disclosure.  We may hold your information in either electronic or hard copy form.  Personal information that is no longer needed is destroyed in accordance with the requirements of the Archives Act 1983. 

As our website is linked to the internet, there are inherent risks associated with the transmission of information via the website.  Although AUSTRAC has implemented security measures, it is not possible to provide absolute guarantees as to the security of information you communicate and provide to us.  Any personal or other information which you send to us is transmitted at your own risk.

If you have concerns in this regard, AUSTRAC has alternative methods of obtaining and providing information. For example we may communicate with you by postal mail or telephone instead.

5. Accessing personal information and privacy complaints

5.1 Accessing and correcting personal information

You are entitled to request access to your own personal information, including for the purpose of correcting your personal information, unless the provisions of the FOI Act or another legislation requires or permits AUSTRAC to refuse to give access.

Requests for access to your own personal information are free.

A request for your own personal information may be made to AUSTRAC’s Privacy and Information Access Team (PIAT) by emailing info_access@austrac.gov.au.

We will respond to request to access (and where relevant, correct) your own personal information within 30 days of receiving the request.  If we are required or permitted to refuse access, we will give you a written notice setting out:

• the reasons for refusing access; and
• the mechanisms available to you to make a complaint about the refusal.

5.2 Making a complaint

If you wish to make a complaint about how AUSTRAC has handled your personal information, please do so in writing.  If you need help lodging a complaint, you can contact the PIAT on 02 6120 2631.

Complaints can be emailed to AUSTRAC at info_access@austrac.gov.au

If we receive a complaint from you, we will acknowledge your complaint within 3 business days of receiving the complaint.  

We will consider your complaint and decide what action (if any) we need to take to resolve the complaint.  This may include, for example, referring your complaint to AUSTRAC’s Privacy Officer for investigation about the AUSTRAC staff member whose actions you are complaining about, or reviewing the security of our data bases, as the case may require.

We will respond to your complaint within 30 days (or another timeframe agreed with you) of receiving your complaint and explain the actions we have taken or propose to take to address the issues or concerns raised in your complaint.  If you are not satisfied with AUSTRAC’s response to your complaint, you may ask for a review by a senior executive within AUSTRAC.  You may also lodge a complaint to the Office of the Australian Information Commissioner.