Is your business prepared for the July 1 changes?
From July 1, AML/CTF reforms, more businesses will soon fall under the Privacy Act 1988. This includes business that were previously exempt under the “small business exemption” and includes:
- real estate professionals,
- lawyers,
- conveyancers,
- accountants and trust and company service providers, and
- dealers in precious stones, metals and products.
These obligations will apply to activities used to comply with obligations under the AML/CTF Act and rules such as:
- collection, use and storage of personal information for customer due diligence
- collection, use, storage and disclosure of personal information for monitoring and reporting obligations
- holding personal information for AML/CTF record keeping obligations
- collection, use and storage of personal information for personnel due diligence (where the employee record exemption under the Privacy Act does not apply).
The OAIC has provided this chart to help determine whether the information is covered:
Source: Office of the Australian Information Commissioner.
What do you need to do?
If you are required to comply with the AML/CTF act, you also need to comply with the Privacy Act when handling personal information to fulfil those obligations.
This includes, but is not limited to:
- Having a Privacy Policy and collection notices that are clear and transparent and describe how personal information is handled,
- Take reasonable steps to ensure that any overseas disclosure does not breach the Australian Privacy Principles (APPs)
- Take reasonable steps to ensure that personal information is secure.
- Have a data breach response plan in place so that you can quickly respond if a breach occured.
- Only collect what is required to fulfil obligations (e.g. not keeping full copies of identification documents)
- Destroy or de-identify personal information once it is no longer required.
How can we help?
Thomas IT have expertise in data privacy, data governance, and cyber security. We provide several offerings that can help ensure compliance including:
- Privacy specific offerings:
- Privacy Policy creation or review,
- Privacy Impact Assessments
- Privacy Program implementation including ISO/IEC 27701
- Privacy and cybersecurity control assessment and implementation
- Data breach response plan development and testing
- Managed services to protect personal information and IT systems.
Further information is available on the OAIC website.