17. know your customer andcorrupt practices legislationThe Anti-Money Laundering and Counter-Terrorism FinancingAct 2006 (Cth) (AML/CTF Act) and its associated regulationsand rules seek to reduce the risk that transactions involve moneylaundering or financing of terrorism. It is overseen by theAustralian Transaction Reports and Analysis Centre(AUSTRAC).The AML/CTF Act applies to those entities that providedesignated services, which includes a wide range of activities. Thelegislation imposes an obligation on those entities “reportingentities” to adopt and maintain their own anti-money launderingand counter-terrorism financing programs. Generally, a program isdivided into two parts:+ + Part A (general), the purpose of which is to identify, mitigateand manage the risk that the services provided by thereporting entity involve money laundering or financing ofterrorism; and+ + Part B (customer identification), the purpose of which is to setout customer identification procedures.In both parts, the emphasis is on putting in place appropriaterisk-based systems or controls, depending on the nature, size andcomplexity of the business.Reporting entities are also required to report certain transactionsto AUSTRAC, perform ongoing customer due diligence and keepaccurate records.PAGE 38
18. Privacy, spam and the Do NotCall Register18.1 National Privacy Principles (NPPs) in thePrivacy Act 1988 (Cth)The Privacy Act 1988 (Cth) (Privacy Act) contains 10 NPPs,which detail how private sector organisations, including businesses,should collect, use, handle, store and disclose “personalinformation”.Data security remains the most common NPP compliance issueraised by consumers, followed by the improper use and/ordisclosure of personal information.The Privacy Commissioner has recently taken action against asignificant number of entities about whom complaints have beenmade for alleged breaches of the NPPs. The remedies grantedrange from the amending of records, apologies, the requirementto change processes and procedures, the granting of access toinformation, mandatory staff training and the awarding ofcompensation.In response to the Australian Law Reform Commission’s (ALRC)review of the Privacy Act and related privacy laws in Australia,which recommended 295 changes to improve Australia’s privacyframework, the Commonwealth Government recently enacted anumber of reforms to the Privacy Act in the form of the PrivacyAmendment (Enhancing Privacy Protection) Act 2012 (Cth) (theAmendment Act). The substantive provisions of theAmendment Act take effect from 12 March 2014.+ + new provisions dealing with privacy codes and credit reportingcode, including powers for the Privacy Commissioner todevelop and register codes that are binding on private sectororganisations; and+ + the introduction of a more comprehensive credit reportingscheme and enhanced protections for credit reportinginformation.The new APPs provide for the open and transparent managementof personal information, will ensure that individuals are permittedto interact with entities without identifying themselves if the entitydoes not need their personal information, and make the collectionof personal information subject to a “functions test”.The Privacy Act will apply to the overseas handling of personalinformation by an organisation if it has an “Australian link”. Anorganisation has an Australian link if (among other things) it isincorporated in Australia, or it carries on business in Australia, andcollects or holds personal information in Australia. Of significance,the new privacy protections extend to every person, not justAustralian citizens or permanent residents as is currently the case,so long as there is an “Australian link”.The Commonwealth Government has indicated that theremaining reform and review of the Privacy Act will also be astaged process which will consider the remaining 98 ALRCrecommendations. This latter reform is expected to focus on:The Amendment Act introduces the following key reforms to thePrivacy Act:+ + the introduction of a single set of Privacy Principles applicableto both private and public organisations – the AustralianPrivacy Principles (APPs);+ + the enhancement of the powers of the Privacy Commissioner,particularly in relation to the Commissioner’s investigative andenforcement powers;+ + the introduction of new civil penalties for serious or repeatedbreaches of privacy (including the potential imposition ofpenalties of up to $1.7 million for bodies corporate);+ + proposals to clarify or remove certain exemptions from thePrivacy Act;+ + introducing a statutory cause of action for serious invasion ofprivacy;+ + serious data breach notifications;+ + privacy and decision-making issues for children and authorisedrepresentatives; and+ + national harmonisation of privacy laws (which has beenpartially considered in Stage One).PAGE 39