Last week I spoke at the Financial Institution Auditors’ conference about privacy issues for ADI’s.
ADI’s, insurers and superannuation funds have a lot of personal information about customers and have extensive reporting obligations eg ATO, APRA, FCS, AML/CTF, unclaimed money.
The previous speaker presented a case study about a mutual bank’s implementation of a single customer view as required by the Financial Claims Scheme and APS910.
The implementation of a single customer view requires an approach to data management that satisfies regulatory reporting as well as an organisation’s own internal uses, customer requirements and contractual obligations.
The Privacy Act and the Australian Privacy Principles (APPs) impose obligations to keep information secure, up-to-date and accurate. That means having a record retention policy to ensure that required information is kept for the required minimum periods as well as a document destruction policy to ensure that information that is out of date or no longer required is destroyed.
In the consumer credit context, the document destruction obligations must be subject to the obligation under the National Credit Act to provide borrowers with a copy of their unsuitability assessment (which includes the personal information used to support it). But if a credit report obtained for an assessment is retained it must not be able to be used for another purpose such as a subsequent loan to the borrower or to another person or direct marketing.
The Privacy Act 1988 and the APPs apply in relation to activities undertaken by reporting entities in relation to individual customers to comply with the AML/CTF Act, such as know your customer and customer due diligence.
APP 6.2(b) permits the use or disclosure of an individual’s personal information without a person’s specific consent if the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order.
The meaning of “required or authorised by or under an Australian law or a court/tribunal order” is discussed in the APP Guidelines.
Examples of where an APP entity may be required or authorised by law to use or disclose personal information include where the entity is subject to a statutory requirement to report certain matters to an agency or enforcement body, for example, specific financial transactions.
The Privacy Commissioner has previously expressed concern that a large amount of personal information not necessarily required for the business purposes of financial institutions (such as customer due diligence) is collected and held for lengthy periods and is available to a wide range of government agencies through AUSTRAC using powers under other laws.
Reporting entities should notify customers about the AML/CTF collection requirements and that some of the information collected may be reported to AUSTRAC.
Background: Financial service providers record retention checklist