Dissemination of bulk AUSTRAC information to the Australian Taxation Office and designated agencies

30-JAN-2013

View the PDF version of this policy:

View the PDF file Dissemination of bulk AUSTRAC information to the ATO and designated agencies (PDF, 480KB)


Contents


Introduction

Purpose and objective

This guidance is to assist the AUSTRAC Chief Executive Officer (CEO) in considering requests for the disclosure of bulk AUSTRAC information from:

  • the Commissioner of Taxation or any taxation officer (ATO official); or
  • an appropriately authorised official of a designated agency. (1)

This guidance has been developed with regard to the provisions of the:

  • Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)
  • Financial Transaction Reports Act 1988 (FTR Act)
  • Privacy Act 1988 (Privacy Act).

It also takes into account:

  • the Office of the Australian Information Commissioner's Use of data matching in Commonwealth administration - Guidelines (the Data Matching Guidelines) (2)
  • relevant provisions in the memoranda of understanding (MOUs) which AUSTRAC has in place with each of the designated agencies and the Australian Taxation Office (ATO).

Legal framework

Any disclosure of AUSTRAC information, including bulk AUSTRAC information, must occur in accordance with Part 11 of the AML/CTF Act. In particular, access to AUSTRAC information by Australian Government agencies is governed by Division 4 of Part 11 of the AML/CTF Act.

Access to AUSTRAC information by an ATO official is provided under section 125 of the AML/CTF Act which specifies that the Commissioner of Taxation and any taxation officer is entitled to access AUSTRAC information for any purpose relating to the facilitation of the administration or enforcement of a taxation law. (3)

Access to AUSTRAC information by an officer of a designated agency is provided under subsection 126(1) of the AML/CTF Act. The AUSTRAC CEO may, in writing, authorise specified officials or a specified class of officials of a specified designated agency to have access to AUSTRAC information for the purpose of performing the agency's functions and exercising the agency's powers.

Further information about the legal framework in relation to the dissemination of AUSTRAC information is contained in Appendix 1 to this guidance.

General policy position

The AUSTRAC CEO will provide an ATO official with downloads of bulk AUSTRAC information upon written request, in line with the process outlined in the MOU between AUSTRAC and the ATO and in this guidance. ATO officials can access AUSTRAC information for the purpose of facilitating the administration or enforcement of a taxation law.

Designated agencies do not have an entitlement under the AML/CTF Act to access AUSTRAC information and are restricted in terms of the amount and type of AUSTRAC information they can access pursuant to their respective written authorisations under subsection 126(1) of the AML/CTF Act (included in the MOU between AUSTRAC and the designated agency). Under subsection 126(1) of the AML/CTF Act, the AUSTRAC CEO may, in writing, authorise specified officials or a specified class of officials of a specified designated agency to have access to AUSTRAC information for the purpose of performing the agency's functions and exercising the agency's powers.

The AUSTRAC CEO will consider written requests for bulk AUSTRAC information from an authorised officer of a designated agency on a case-by-case basis in accordance with this guidance. Bulk AUSTRAC information will only be disseminated to designated agencies in restricted circumstances. The requesting designated agency will need to make a formal written request for bulk AUSTRAC information to the AUSTRAC CEO and provide certain supporting information in the request, as specified in this guidance. In particular, the designated agency will need to:

  • demonstrate a justifiable need to access the requested bulk AUSTRAC information, which is not merely a 'fishing' exercise or general fact finding, or related to a matter involving less serious criminal activity
  • satisfy the AUSTRAC CEO that the proposed use for the requested bulk AUSTRAC information directly relates to the agency's prescribed intelligence, regulatory, compliance, law enforcement or information-gathering powers or functions
  • detail how accessing the requested bulk AUSTRAC information:
    • relates to achieving the objectives of the AML/CTF Act or the FTR Act; or
    • will assist in the (proposed) investigation and/or prosecution of serious criminal activity including tax evasion, terrorism financing, money laundering or 'serious and organised crime' (4)
  • explain how it will protect the integrity, security and privacy of the requested bulk AUSTRAC information, once obtained. This includes detailing its procedures in relation to how it proposes to record, store, disclose and ultimately destroy the requested bulk AUSTRAC information.

In releasing any requested bulk AUSTRAC information to a designated agency, the AUSTRAC CEO may decide to impose conditions in relation to the use, protection, recording, storage, disclosure and destruction of the bulk AUSTRAC information.

Exclusions - what this guidance does not cover

This guidance does not cover the following:

  • Provision of bulk AUSTRAC information to government authorities other than the ATO and designated agencies. (5)
  • Provision of (bulk) AUSTRAC information which is the result of data matching (including any data matching undertaken through the autosearch functionality) (6) conducted by AUSTRAC using bulk AUSTRAC information.

Back to the top


Definitions

For the purposes of this guidance, all terms have the same meaning as in the AML/CTF Act unless otherwise defined below:

Autosearching means a process of matching names, addresses, account numbers or identification numbers contained in AUSTRAC's databases of AUSTRAC information, against similar information held by an authorised agency. The AUSTRAC autosearching output provides a detailed summary of the information held by AUSTRAC on each of the names, addresses, account numbers or identification numbers provided by the other agency. (7)

Bulk AUSTRAC information means an electronic extract (whether by way of a single extraction or numerous smaller extractions using the same or similar criteria) from AUSTRAC's databases of AUSTRAC information which:

  1. at an entity level, contains information about more than 5,000 (8) entities (defined below) that cannot otherwise be extracted by an existing standard business practice or function of AUSTRAC's Transaction Reports Analysis and Query (TRAQ) Enquiry System (TES); and
  2. is based on non-entity-specific criteria (9) such as, but not limited to, 'report type', 'period', 'location' and 'amount(s)'; and
  3. is not:
    1. the outcome of a data-matching (including autosearching) or macro-analysis exercise; or
    2. summarised AUSTRAC information which can be extracted by an existing standard business practice or function of TRAQ or TES.

Data matching means the comparison of two or more records or files of personal information (defined below), collected or held for different purposes, using a pre-determined typology with a view to identifying matters of interest.

For example, a designated agency provides its data holdings of certain identity information about multiple individuals (such as name, address and one or more other identifiers), which is then matched against AUSTRAC information with the objective of:

  1. verifying the identity information held by the designated agency;
  2. supplementing the identity information held by the designated agency; and/or
  3. determining more general trends or matters of interest or generating aggregate information summaries about the individuals who are data-matched.

Entity means any of the following:

  1. an individual;
  2. a company;
  3. a corporation sole;
  4. a trust;
  5. a superannuation fund;
  6. a partnership;
  7. an incorporated association;
  8. an unincorporated association;
  9. a body politic.

Macro-analysis means an analysis, at an aggregated level, of a range of data sources, records, files, a system or systems and/or other information about a broader, general or overall context, as opposed to micro-analysis on a single entity.

Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion (section 6 of the Privacy Act).

Serious and organised crime (10) means an offence:

  1. that involves 2 or more offenders and substantial planning and organisation; and
  2. that involves, or is of a kind that ordinarily involves, the use of sophisticated methods and techniques; and
  3. that is committed, or is of a kind that is ordinarily committed, in conjunction with other offences of a like kind; and
  4. that is a serious offence within the meaning of the Proceeds of Crime Act 2002, an offence against Subdivision B or C of Division 471, or D or F of Division 474, of the Criminal Code, an offence of a kind prescribed by the regulations (11) or an offence that involves any of the following:
    1. theft;
    2. fraud;
    3. tax evasion;
    4. money laundering;
    5. currency violations;
    6. illegal drug dealings;
    7. illegal gambling;
    8. obtaining financial benefit by vice engaged in by others;
    9. extortion;
    10. violence;
    11. bribery or corruption of, or by, an officer of the Commonwealth, an officer of a State or an officer of a Territory;
    12. perverting the course of justice;
    13. bankruptcy and company violations;
    14. harbouring of criminals;
    15. forging of passports;
    16. firearms;
    17. armament dealings;
    18. illegal importation or exportation of fauna into or out of Australia;
    19. cybercrime;
    20. matters of the same general nature as one or more of the matters listed above; and

da. that is:

  1. punishable by imprisonment for a period of 3 years or more; or
  2. a serious offence within the meaning of the Proceeds of Crimes Act 2002;
but:
  1. does not include an offence committed in the course of a genuine dispute as to matters pertaining to the relations of employees and employers by a party to the dispute, unless the offence is committed in connection with, or as part of, a course of activity involving the commission of a serious and organised crime other than an offence so committed; and
  2. does not include an offence the time for the commencement of a prosecution for which has expired
07-FEB-2014

Back to the top


Procedure for making requests for bulk AUSTRAC information

For each request for bulk AUSTRAC information, an ATO official or an authorised officer of a designated agency should make written application to the AUSTRAC CEO.

The request should be made, or otherwise authorised, by an Executive Level 2 (EL2) or Senior Executive Service (SES) officer (or other equivalent senior team manager/leader) who is entitled or authorised to access AUSTRAC information. (12)

Each request for bulk AUSTRAC information must specify the following information:

  • details of the authorised official making the request (requesting officer)
  • where the request is made by a person below the EL 2 (or other equivalent senior team manager/leader) level - details of the senior officer (13) authorising the request being made by the requesting officer
  • details of the agency and, where applicable, the business area/section of the agency of the requesting officer making the request (requesting agency)
  • details of how the requested bulk AUSTRAC information will assist or facilitate the requesting agency carry out its intelligence, regulatory, compliance, law enforcement or information-gathering functions prescribed under its governing legislation
  • the exact nature or parameters of the bulk AUSTRAC information being requested
  • sufficient information about the intended use of the requested bulk AUSTRAC information
  • whether similar bulk AUSTRAC information has been requested in the past, and whether this request will supplement or replace the AUSTRAC information requested in that previous request
  • whether or not the bulk AUSTRAC information will be used in any data matching or macro-analysis to be undertaken by the requesting agency which is covered by the Data Matching Guidelines
  • whether the information is to be further disseminated to another agency and, if so, to which agency and for what purpose
  • any other relevant information that may assist the AUSTRAC CEO in his/her deliberations.

All requests for bulk AUSTRAC information will need to acknowledge that the requesting agency is aware of, and will comply with, the requirements of Part 11 of the AML/CTF Act regarding the use and any further disclosure of AUSTRAC information to another agency or person.

For the ATO only, an acknowledgement that the ATO official will:

  • comply with the requirements and procedures in Schedule 3 of the ATO MOU concerning receipt, decryption, storage and destruction of bulk AUSTRAC information; and
  • in accordance with the provisions of the ATO MOU, take reasonable steps to ensure that there are satisfactory processes in place to protect the integrity, security and privacy of the bulk AUSTRAC information which is disseminated in accordance with the relevant MOU.

For designated agencies only:

  • whether or not the requesting officer already has an entitlement to the requested AUSTRAC information under the relevant written authorisation made by the AUSTRAC CEO pursuant to subsection 126(1) of the AML/CTF Act (included in the MOU between AUSTRAC and the designated agency)
  • a specific explanation of how access to the bulk AUSTRAC information will achieve one or more of the following objectives (as applicable):

    • facilitate the administration and enforcement of taxation revenue laws of the Commonwealth, States or Territories
    • fulfil international obligations, as well as addressing matters of international concern, in relation to combating money laundering and financing of terrorism
    • facilitate the protection of the integrity of Australia's financial system
    • facilitate the protection of Australia's national security
    • assist in the (proposed) investigation and/or prosecution of serious criminal activity including tax evasion, terrorism financing, money laundering or 'serious and organised crime' (14) (and, if so, details of the serious criminal activities, including actual or alleged breaches)
  • an outline of how the requesting agency will:

    • comply with any conditions specified by the AUSTRAC CEO in relation to the use, protection, recording, storage, disclosure and destruction of the bulk AUSTRAC information being disseminated; and
    • protect the integrity, security and privacy of the bulk AUSTRAC information which is disseminated to it in accordance with the relevant MOU.

Back to the top


Considering requests for bulk AUSTRAC information

AUSTRAC's Intelligence Oversight Committee (IOC) will provide advice on matters considered relevant to assist the AUSTRAC CEO in considering a request for bulk AUSTRAC information.

The AUSTRAC CEO:

  • will give due and timely consideration to all written requests from ATO officials and appropriately authorised officials of designated agencies for the disclosure of bulk AUSTRAC information
  • may request further information or clarification from the requesting agency to confirm that the proposed dissemination is consistent with the requirements in the AML/CTF Act and this guidance, or to clarify any details relating to the request.

For designated agency requests, the AUSTRAC CEO:

  • will consider whether or not the requested bulk AUSTRAC information is covered by an existing written authorisation made by the AUSTRAC CEO pursuant to subsection 126(1) of the AML/CTF Act in relation to the requesting officer or the requesting agency
  • will consider whether the requesting agency already has online access to the requested bulk AUSTRAC information
  • will have regard to the objects of the AML/CTF Act contained in section 3 of the AML/CTF Act, including whether disclosure of the requested bulk AUSTRAC information will:
    • fulfil any international obligations under the prescribed United Nations Conventions and United Nations Security Council Resolutions (15); and
    • address matters of international concern; (16)

in relation to combating money laundering and financing of terrorism

  • will consider the prescribed functions of the requesting agency and whether provision of the requested bulk AUSTRAC information to the requesting agency will assist the requesting agency in carrying out its prescribed functions - especially where they are of an intelligence, regulatory, law enforcement, compliance or information-gathering nature
  • will consider whether provision of the requested bulk AUSTRAC information to the requesting agency will:
    • facilitate the administration and enforcement of taxation revenue laws of the Commonwealth, States or Territories
    • facilitate the protection of the integrity of Australia's financial system
    • facilitate protection of Australia's national security
    • assist in the (proposed) investigation and/or prosecution of serious criminal activity including tax evasion, terrorism financing, money laundering or 'serious and organised crime' (17)
  • will have regard to the factors outlined in subsection 212(3) of the AML/CTF Act (Functions of the AUSTRAC CEO), including:
    • crime reduction
    • privacy
    • such other matters (if any) as the AUSTRAC CEO considers relevant
  • will consider whether similar bulk AUSTRAC information has previously been requested by the same agency or another designated agency for the same purpose(s), how long ago the request was made and whether the information has since been destroyed by that agency
  • will consider whether bulk AUSTRAC information is the most appropriate form of data for the purpose outlined by the requesting agency, or whether similar or other information (including information already in the possession of another designated agency or de-identified information) is more appropriate for the requesting agency or would service the purpose outlined by the requesting agency while minimising the privacy impact
  • will consider whether any existing AUSTRAC business practices and services (for example, macro-analysis and data matching) are more appropriate
  • will consider any:
    • potential mutually beneficial outcomes
    • potential outcomes for whole-of-government strategies, multi-agency taskforces and broader government interests

    arising from the dissemination of the requested bulk AUSTRAC information

  • will consider whether reasonable steps are proposed to be taken by the requesting agency to protect the integrity, security and privacy of the bulk AUSTRAC information being disseminated to the requesting officer
  • may review the bulk AUSTRAC information requested for accuracy, data integrity, duplication and other potential issues and cleanse or rectify the data appropriately, prior to disseminating the information to the requesting officer
  • may determine in what circumstances the requested bulk AUSTRAC information will be released to the requesting officer
  • may impose conditions in relation to the use, protection, recording, storage, disclosure and destruction of the bulk AUSTRAC information being disseminated; this may include requiring the requesting agency to give undertakings to:
    • not further disclose suspect transaction and suspicious matter reports to non-designated agencies; and
    • destroy the bulk AUSTRAC information after a certain period of time, or prior to the provision by AUSTRAC of further bulk AUSTRAC information to the requesting agency
  • will provide a written decision on whether or not the requested bulk AUSTRAC information will be disseminated and, if not, the reasons for such refusal.

Back to the top


Grounds for refusing a request for bulk AUSTRAC information from an authorised officer of a designated agency

ATO officials have an entitlement under the AML/CTF Act to access AUSTRAC information for the purpose of performing their duties. More specifically, ATO officials can only access AUSTRAC information for any purpose relating to the facilitation of the administration or enforcement of a taxation law.

Officials of designated agencies do not have a corresponding entitlement under the AML/CTF Act to access AUSTRAC information and are restricted in terms of the amount and type of AUSTRAC information they can access. Given these legal constraints and the potential quantum of AUSTRAC data involved, not all written requests for bulk AUSTRAC information will be approved for release to designated agencies.

A request for bulk AUSTRAC information from an authorised officer of a designated agency may be refused for any one or more of the following reasons:

  • the designated agency has a history of non-compliance with:
    • Part 11 of the AML/CTF Act in relation to the use and/or further disclosure of AUSTRAC information; and/or
    • the terms and conditions of its MOU
  • the requesting agency or requesting authorised officer is not authorised to have access to the requested bulk AUSTRAC information under the existing written authorisation made by the AUSTRAC CEO pursuant to subsection 126(1) of the AML/CTF Act in relation to the requesting officer or the requesting agency
  • the requesting agency has not included the relevant details and required explanations specified in Section 3 of this guidance - 'Procedure for making requests for bulk AUSTRAC information' - in its written request for bulk AUSTRAC information
  • the requesting agency has made a broad request for a general class of bulk AUSTRAC information without any limiting parameters (akin to a 'fishing' exercise or general fact finding)
  • the written request for bulk AUSTRAC information contains an inadequate explanation of the purpose for requesting bulk AUSTRAC information (akin to a 'fishing' exercise or general fact finding)
  • the designated agency is unable to confirm whether or not the requested bulk AUSTRAC information will be used for data matching or macro-analytical purposes
  • the type and amount of bulk AUSTRAC information requested does not correlate to the purpose for which the information is requested
  • the written request for bulk AUSTRAC information contains an inadequate explanation of the connection between the need to obtain the requested bulk AUSTRAC information and the designated agency's intelligence/regulatory/law enforcement or information-gathering powers or prescribed functions
  • the written request contains an inadequate explanation of the link between the prescribed functions of the requesting agency and the proposed use of the requested bulk AUSTRAC information
  • the requested bulk AUSTRAC information does not relate to achieving one or more of the following objectives:
    • facilitating the administration and enforcement of taxation revenue laws of the Commonwealth, States or Territories
    • fulfilling international obligations, as well as addressing matters of international concern, in relation to combating money laundering and financing of terrorism
    • facilitating the protection of the integrity of Australia's financial system
    • facilitating the protection of Australia's national security
    • assisting in an actual (or proposed) investigation and/or prosecution of serious criminal activity including tax evasion, terrorism financing, money laundering or 'serious and organised crime' (18)
  • in the opinion of the AUSTRAC CEO, bulk AUSTRAC information is not the most appropriate form of data for the purpose outlined in the written request made by the requesting agency - for example, other sources may contain sufficient information to meet the needs of the requesting agency
  • the designated agency has provided inadequate undertakings and controls in relation to the use, protection, recording, storage, disclosure and destruction of the bulk AUSTRAC information to be disseminated, or has not complied with such undertakings and controls in relation to previously-disseminated AUSTRAC information
  • the requesting agency already has online access to the requested bulk AUSTRAC information
  • any other matters deemed relevant by the AUSTRAC CEO.

Back to the top

13-MAR-2013

Appendix 1 - Dissemination of bulk AUSTRAC information - legal framework

General

Any disclosure of AUSTRAC information, including bulk AUSTRAC information, must occur in accordance with Part 11 of the AML/CTF Act. In particular, access to AUSTRAC information by Australian Government agencies is governed by Division 4 of Part 11 of the AML/CTF Act.

These provisions are critical for balancing the privacy of personal information and the protection of AUSTRAC information with the objectives of designated agencies. The provisions impose obligations upon entrusted public officials concerning the access to and disclosure and communication of, AUSTRAC information.

Requests for bulk AUSTRAC information from an ATO official

Access to AUSTRAC information by an ATO official is provided under section 125 of the AML/CTF Act, which specifies that the Commissioner of Taxation and any taxation officer is entitled to access AUSTRAC information for any purpose relating to the administration or enforcement of a taxation law.

Bulk AUSTRAC information has been disclosed to the ATO on a regular basis since 2005 as part of a joint ATO-AUSTRAC data matching project within the framework originally provided by the FTR Act and subsequently by the AML/CTF Act and the MOU between the two agencies.

Although an ATO official is entitled to access AUSTRAC information under the AML/CTF Act, Schedule 3 of the ATO MOU (19) provides that the AUSTRAC CEO may agree to provide the Commissioner of Taxation with yearly or half-yearly sets of eligible collected information upon written request, provided the conditions in the ATO MOU are adhered to. This process is in place to ensure that bulk AUSTRAC information is:

  • provided to an ATO official in a formal and accountable manner
  • adequately protected from unauthorised access, use, modification, destruction, recording, storage and disclosure and satisfies the requirements of the Information Privacy Principles (IPPs) in section 14 of the Privacy Act (20)
  • handled in accordance with any Protected Information Policy Guidelines (21) where it is used in any data matching activities undertaken by the ATO.

It is possible that the ATO may request other sets of bulk AUSTRAC information which are not covered by Schedule 3 of the ATO MOU, provided it is for any purpose relating to the administration or enforcement of a taxation law.

Requests for bulk AUSTRAC information from an officer of a designated agency

Access to AUSTRAC information by an officer of a designated agency is provided under subsection 126(1) of the AML/CTF Act. The AUSTRAC CEO may, in writing, authorise specified officials or a specified class of officials of a specified designated agency to have access to AUSTRAC information for the purpose of performing the agency's functions and exercising the agency's powers.

This means that all bulk AUSTRAC information requests must relate to AUSTRAC information which the relevant (official in the) designated agency can lawfully access under the relevant written authorisation made by the AUSTRAC CEO pursuant to subsection 126(1) of the AML/CTF Act.

The majority of designated agencies with which AUSTRAC has an MOU have online access to AUSTRAC information through the TES/TRAQ functionality. Online access to the TES/TRAQ functionality is not automatically granted to every designated agency. Furthermore, those designated agencies which do have online access are not allowed to access bulk AUSTRAC information through a single download or search functionality. This is particularly the case where a search inquiry for certain AUSTRAC information produces results in excess of the standard TES/TRAQ access parameters. More importantly, except in a few cases, all designated agency MOUs stipulate that the relevant agency will:

  • not download bulk AUSTRAC information to an external device (such as a computer disk, USB drive, MP3 player or magnetic tape) except where approval is granted to do so by the AUSTRAC CEO (or senior AUSTRAC officer approved by the AUSTRAC CEO) or a delegate (22)
  • adhere to the Data Matching Guidelines and not use AUSTRAC information for data matching purposes unless specifically authorised by the AUSTRAC CEO (23); this restriction is in place both to protect AUSTRAC information and satisfy the requirements of the IPPs and the Data Matching Guidelines
  • ensure that the AUSTRAC information it obtains from AUSTRAC is protected by such security safeguards as is reasonable in the circumstances against loss, unauthorised access, unauthorised use, unauthorised disclosure, modification, destruction and other misuse.

In deciding whether to disclose bulk AUSTRAC information to an officer of a designated agency, the AUSTRAC CEO must have regard to the factors outlined in section 212 of the AML/CTF Act ('Functions of the AUSTRAC CEO'). These include crime reduction, privacy and such other matters (if any) as the AUSTRAC CEO considers relevant (see subsection 212(3)).

Disclosing bulk AUSTRAC information - other requirements

Privacy Act

Personal information included in AUSTRAC information is subject to the provisions of the Privacy Act and in particular, the IPPs in section 14 of the Privacy Act (24). The IPPs govern the collection, storage, use and disclosure of personal information by Australian Government agencies. Further, subsection 126(3) of the AML/CTF Act specifies that State and Territory designated agencies must undertake to comply with the IPPs in respect of AUSTRAC information obtained:

  • under the written authorisation made by the AUSTRAC CEO pursuant to subsection 126(1) of the AML/CTF Act; or
  • from an official from another designated agency under subsection 128(1) of the AML/CTF Act.
    Note that a disclosure of bulk AUSTRAC information which is required or authorised by law, in this case Part 11 of the AML/CTF Act, will satisfy IPP 11, which deals with disclosure of personal information, under IPP 11.1(d).

Data Matching Guidelines

Where the ATO or a designated agency proposes to use bulk AUSTRAC information in data matching, it should ensure it complies with all relevant Commonwealth and internal guidance, guidelines and standard operating procedures (SOPs) in relation to such data matching activities.

The Data Matching Guidelines originally issued by the Office of the Privacy Commissioner (the functions of which, from 1 November 2010, are now carried out by the Office of the Australian Information Commissioner) are designed to ensure that agencies comply with the IPPs in relation to data matching exercises. Under their respective MOUs with AUSTRAC, the ATO and each of the designated agencies (25) undertake to adhere to the Data Matching Guidelines. This undertaking also obliges taxation officers and appropriately authorised officials of designated agencies not to use AUSTRAC information for data matching purposes unless specifically authorised by the AUSTRAC CEO or (where mentioned) his/her delegate (26). This does not preclude an ATO official or an authorised officer of a designated agency from:

  • comparing bulk AUSTRAC information against the ATO's or a designated agency's existing databases for the purpose of confirming identities; or
  • downloading bulk AUSTRAC information for inclusion in internal working documents, such as information reports, spreadsheets or analytical software applications.

Definitions in the AML/CTF Act

Section 5 of the AML/CTF Act contains the following definitions:

AUSTRAC information means:

(a) eligible collected information; or
(b) a compilation by the AUSTRAC CEO of eligible collected information; or
(c) an analysis by the AUSTRAC CEO of eligible collected information.

designated agencymeans [note: additions in italics and brackets]:

(a) the Australian Crime Commission; or
(b) ASIO [Australian Security Intelligence Organisation]; or
(c) the Australian Commission for Law Enforcement Integrity; or
(d) the Australian Competition and Consumer Commission; or
(e) Customs; or
(f) the Australian Federal Police; or
(g) the Australian Prudential Regulation Authority; or

    (ga) ASIS [Australian Secret Intelligence Service]; or
    (gb) DIGO [Defence Imagery and Geospatial Organisation]; or
    (gc) DIO [Defence Intelligence Organisation]; or
    (gd) DSD [Defence Signals Directorate]; or
    (ge) ONA [Office of National Assessments]; or

(h) the Australian Securities and Investments Commission; or
(i) the Human Services Department; or
(k) a Commonwealth Royal Commission whose terms of reference include inquiry into whether unlawful conduct (however described) has, or might have, occurred; or

(ka) the Department of Foreign Affairs and Trade; or

(l) the Immigration Department; or
(m) IGIS [Inspector-General of Intelligence and Security]; or
(n) the Treasury Department; or
(o) an authority or agency of the Commonwealth, where the authority or agency is specified in the regulations; or
(p) the police force or police service of a State or the Northern Territory; or
(q) the New South Wales Crime Commission; or
(r) the Independent Commission Against Corruption of New South Wales; or
(s) the Police Integrity Commission of New South Wales; or
(t) the Crime and Misconduct Commission of Queensland; or
(u) the Corruption and Crime Commission of Western Australia; or
(v) an authority or agency of a State or Territory, where the authority or agency has the responsibility of collecting or receiving taxation revenue of the State or Territory; or
(w) a State/Territory Royal Commission:

(i) whose terms of reference include inquiry into whether unlawful conduct (however described) has, or might have, occurred; and
(ii) that is specified in the regulations; or

(x) an authority or agency of a State or Territory, where the authority or agency is specified in the regulations.

eligible collected information means:

(a) information obtained by the AUSTRAC CEO under:

(i) this Act; or
(ii) any other law of the Commonwealth; or
(iii) a law of a State or Territory; or

(b) information obtained by the AUSTRAC CEO from a government body; or
(c) information obtained by an authorised officer under Part 13, 14 or 15;

and includes FTR information (within the meaning of the Financial Transaction Reports Act 1988).

Back to the top


Appendix 2 - Schedule 3 to the ATO MOU

Preparation, Transfer, Storage and Destruction Protocols for Bulk AUSTRAC information

These guidelines only pertain to request by the ATO for yearly or half yearly sets of all eligible collected information that has been supplied by AUSTRAC. Under these circumstances the volume of information is very large (greater than 15 million transactions) and, consequently, the most efficient and safe method of exchange of this information for both agencies will be by encrypted compact disc.

AUSTRAC information is classified as 'IN-CONFIDENCE'. All documented steps in this schedule comply with AUSTRAC's Standard Operating Procedure - 'Transfer, and Transmission of Protected, Highly Protected or Confidential Material' - Version October 2008 which is compatible with the ATO's Guide to Information Security'.

Requests for bulk AUSTRAC information by the Australian Taxation Office

  1. Any request for bulk AUSTRAC information (information that is not already facilitated by a function of the AUSTRAC online system) will be made by written notice in accordance with clause 83 of this MOU. (27)
  2. In respect of each bulk data request, the ATO agrees to supply sufficient information of the reasons and business case underpinning the request to enable the CEO or his delegate to make a decision.

Extraction, Preparation and Transportation of approved bulk AUSTRAC information

  1. Once a bulk AUSTRAC information request has been approved by the CEO (or his delegate), AUSTRAC agrees to extract and prepare the information within a reasonable period (no more than 6 weeks after the CEO (or his delegate) has approved the request).
  2. All extraction and preparation work will be undertaken by authorised AUSTRAC staff and copied to compact discs in a digital format within the 'Protected' confines of the AUSTRAC office.
  3. AUSTRAC will encrypt the compact disc containing the bulk AUSTRAC information using appropriate encryption software mutually agreed to by AUSTRAC and the ATO. As a minimum, the software must contain Data Encryption Standard approved algorithms (DES).
  4. Encryption standards will be of a comparable level to satisfy the 'PROTECTED' classification within the Australian Government policy on document (including aggregation) and system classification.
  5. Once the encryption process has been completed, the authorised AUSTRAC officer will contact the Director Analytics and Senior Data Miner, Officer of Chief Knowledge Officer (OCKO), ATO by telephone or email that the compact disc is on its way by safe hand courier.
  6. The authorised AUSTRAC officer will ensure that the disc has been despatched via safe hand courier and in accordance with the requirements of AUSTRAC's Standard Operating Procedure - 'Transfer, and Transmission of Protected, Highly Protected or Confidential Material' - Version October 2008.

Receipt and decryption of bulk AUSTRAC information by the Australian Taxation Officer:

  1. On receipt of the encrypted compact disc containing the bulk AUSTRAC information, the authorised ATO officer will complete the dispatch advice form and forward it off to AUSTRAC by fax or email immediately.
  2. The encrypted compact disc will be decrypted by an authorised ATO officer and the bulk AUSTRAC information will be uploaded to a safe environment in accordance with the ATO's accepted practices on the uploading of protected information from third parties.

Storage and destruction of compact disc containing bulk AUSTRAC information by the Australian Taxation Office

  1. At all times the encrypted compact disc will be stored in a 'C' class cabinet within the Analytics section of OCKO, ATO, until such time as the information has been verified by the ATO for quality and completeness. This is in accordance with the ATO's Guide to Information Security.
  2. After verification, the encrypted disc will be destroyed in accordance with accepted ATO procedures for the safe destruction of protected material.
  3. The Analytics section, OCKO, ATO, will be responsible for the storage and destruction of the encrypted compact disc containing bulk AUSTRAC information.
  4. The Analytics section, OCKO, ATO, will notify an authorised AUSTRAC officer that destruction has occurred. Notification will be in accordance with clause 83 of this MOU. (28)

Back to the top

13-MAR-2013

Footnotes:

(1) 'Designated agency' is defined in section 5 of the AML/CTF Act.

(2) It should be noted, however, that the Data Matching Guidelines only apply to data-matching activities caught by these Guidelines.

(3) The equivalent provision of the FTR Act was paragraph 27(1)(a) (now repealed).

(4) As defined in subsection 4(1) of the Australian Crime Commission Act 2002 and reproduced in section 2 of this guidance.

(5) Provision of bulk AUSTRAC information to:

  • non-designated Commonwealth agencies under section 129 of the AML/CTF Act; and
  • foreign government agencies under sections 132-133C of the AML/CTF Act;

is not covered by this Guidance.

Please refer to AUSTRAC policy for each of these respective provisions: Access by non-designated Commonwealth agencies to AUSTRAC Information (pending) and Communication of AUSTRAC information to a foreign country.

(6) Autosearch activities conducted by AUSTRAC are undertaken in accordance with AUSTRAC's Autosearch Protocol, which is consistent with the Australian Information Commissioner's The use of data matching in Commonwealth administration - Guidelines. A PDF copy of the protocol is available on Intelligence page of the AUSTRAC website.

(7) This definition is based on the description of autosearching on page 3 of AUSTRAC's Autosearch Protocol. A PDF copy of the protocol is available on Intelligence page of the AUSTRAC website.

(8) The 5,000 threshold was used to ensure consistency with:

  • the Data Matching Guidelines - which apply when at least two databases (to be compared) or extracts of databases contain information about more than 5,000 individuals; and
  • the TES default system limits in relation to the 'names list' functionality. In other words, the maximum number of entities/names which a designated agency can view in respect of an inquiry, even if the ultimate number of results is much greater.

(9) Entity-specific information includes information such as name, address, account number, date of birth or identification numbers such as Australian Business Number (ABN).

(10) Reproduced from section 4 of the Australian Crime Commission Act 2002.

(11) Regulations made under the Australian Crime Commission Act 2002.

(12) In the case of a designated agency, the EL2 or SES officer would need to be authorised to access AUSTRAC information under the relevant authorisation given by the AUSTRAC CEO under subsection 126(1) of the AML/CTF Act.

(13) The request should be authorised by an EL2 or SES officer (or other equivalent senior team manager/leader) who is authorised to access AUSTRAC information under the relevant authorisation given by the AUSTRAC CEO under subsection 126(1) of the AML/CTF Act.

(14) As defined in subsection 4(1) of the Australian Crime Commission Act 2002 and reproduced in section 2 of this guidance.

(15) As prescribed in subsection 3(2) of the AML/CTF Act. Subsection 3(2) of the AML/CTF Act provides as follows:

  1. Relevant international obligations include obligations under the following:
    1. the United Nations Convention Against Corruption, done at New York on 31 October 2003 [2006] ATS 2;
    2. the United Nations Convention Against Transnational Organized Crime, done at New York on 15 November 2000 [2004] ATS 12;
    3. the Convention on Laundering, Search, Seizure and Confiscation of the Proceeds of Crime, done at Strasbourg on 8 November 1990 [1997] ATS 21;
    4. United Nations Security Council Resolution 1267 S/RES/1267 (1999);
    5. United Nations Security Council Resolution 1373 S/RES/1373 (2001);
    6. United Nations Security Council Resolution 1617 S/RES/1617 (2005).

(16) Subsection 3(3) prescribes that the following reflect international concern:

  1. the FATF Recommendations;
  2. the United Nations Convention Against Corruption, done at New York on 31 October 2003 [2006] ATS 2;
  3. the United Nations Convention Against Transnational Organized Crime, done at New York on 15 November 2000 [2004] ATS 12;
  4. the Convention on Laundering, Search, Seizure and Confiscation of the Proceeds of Crime, done at Strasbourg on 8 November 1990 [1997] ATS 21;
  5. the International Convention for the Suppression of the Financing of Terrorism, done at New York on 9 December 1999 [2002] ATS 23;
  6. United Nations General Assembly Resolution 51/210 A/RES/51/210 (1996);
  7. United Nations Security Council Resolution 1267 S/RES/1267 (1999);
  8. United Nations Security Council Resolution 1269 S/RES/1269 (1999);
  9. United Nations Security Council Resolution 1373 S/RES/1373 (2001);
  10. United Nations Security Council Resolution 1456 S/RES/1456 (2003);
  11. United Nations Security Council Resolution 1617 S/RES/1617 (2005).

Note 1: FATF Recommendations is defined in section 5 [of the AML/CTF Act].

(17) As defined in subsection 4(1) of the Australian Crime Commission Act 2002 and reproduced in section 2 of this guidance.

(18) As defined in subsection 4(1) of the Australian Crime Commission Act 2002 and reproduced in section 2 of this guidance.

(19) Schedule 3 to the ATO MOU is reproduced in Appendix 2 to this guidance.

(20) The IPPs are available on the Office of the Australian Information Commissioner's website

(21) Clause 22(d) of the ATO MOU provides that the AUSTRAC CEO may agree to provide the Commissioner of Taxation with downloads of AUSTRAC information for data matching by the ATO provided that:

the data matching of AUSTRAC information complies as far as possible with any policy guidelines laid down by the Commonwealth relating to the handling of protected information, in particular Security Classified Information (including the Protective Security Manual and the Information and Communications Technology Security Manual) and the Privacy Commissioner's Guidelines (including those guidelines that pertain to data matching) (Protected Information Policy Guidelines).

(22) This 'downloading of bulk AUSTRAC information' clause is not included in the MOUs with the following designated agencies:

  • the Australian Prudential Regulation Authority (APRA)
  • the Australian Capital Territory Revenue Office.

These two designated agencies do not have online access to AUSTRAC information through the TES/TRAQ functionality. Accordingly, there was no need to include this clause in their current MOUs.

(23) This 'adherence with the Data Matching Guidelines' clause is not included in the MOUs with the following designated agencies:

  • the Australian Security Intelligence Organisation (ASIO)
  • the Australian Secret Intelligence Service (ASIS)
  • the Defence Imagery and Geospatial Organisation (DIGO).

These agencies have various exclusions from the Privacy Act under section 7 of that Act. ASIO and ASIS are both “intelligence agencies” for the purposes of the Privacy Act. “Intelligence agency” is defined in section 6 of the Privacy Act to mean ASIO, ASIS and Office of National Assessments (ONA) only. Defence-related intelligence agencies are mentioned separately and specifically in section 7 of the Privacy Act.

(24) The IPPs are available on the Office of the Australian Information Commissioner's website.

(25) Except the MOUs with ASIO, ASIS and DIGO. See also footnote 23.

(26) The MOU with each designated agency, generally, has a clause along the following lines:

[Name of agency] agrees that it will adhere to the Privacy Commissioner's Guideline: The use of data matching in Commonwealth Administration (the Guidelines). In doing so, [name of agency] will not use AUSTRAC information for data matching purposes unless specifically authorised by the AUSTRAC CEO. This does not preclude routine comparison by the [name of agency] of AUSTRAC information against its existing databases, for the purpose of confirming identities or the downloading of such data for inclusion into internal working documents, such as information reports, spreadsheets or analytical software applications.

(27) Clause 83 of the ATO MOU provides as follows:

"Notices

83. Notices under this MOU must be in writing, marked for the attention of the recipient's MOU Manager, and sent to that MOU Manager's address by hand delivery, ordinary or registered pre-paid post, or facsimile or email transmission (but if transmitted electronically, a hard copy must also be sent by pre-paid post within 1 business day), and will be taken to be received by the recipient:

  1. if sent by hand delivery or registered pre-paid post - on the date it is delivered;
  2. if sent by ordinary pre-paid post - 3 business days after the date of posting; or
  3. if sent electronically - on the business day next following the day on which the transmission was sent in its entirety to the recipient's facsimile machine or email system (as the case may be).

A notice that is given by a party may be signed by that party's MOU Manager or other authorised officer."

(28) See previous footnote, which reproduces clause 83 of the ATO MOU.

08-MAR-2013

Last modified: ...

 

© Commonwealth of Australia - AUSTRAC 2014