Privacy (International Money Transfers) Public Interest Determination 2020 (No. 2)

 

I, Angele Falk, Australian Information Commissioner, make the following public interest determination under subsection 72(2) of the Privacy Act 1988 (Privacy Act).

Dated: 14 February 2020

Signed

 

Angele Falk
Privacy Commissioner

 

This is the Privacy (International Money Transfers) Public Interest Determination 2020 (No. 2).

This public interest determination commences on the day of its registration on the Federal Register of Legislation maintained under section 15A of the Legislation Act 2003.

This determination is made by the Australian Information Commissioner under subsection 72(2) of the Privacy Act.

 

The Privacy (International Money Transfers) Public Interest Determination 2015 (No. 2) (FRLI - F2015L00200) is repealed immediately before this public interest determination commences.

This public interest determination is repealed 5 years from the day on which it commences.

Terms defined in the Privacy Act have the same meanings in this public interest determination.

(1)   The Reserve Bank of Australia (RBA) is an Australian Privacy Principle (APP) entity under subsection 6(1) of the Privacy Act because it is an agency under subsection 6(1) of the Privacy Act, and an organisation under section 7A(3) of the Privacy Act for particular acts and practices.

(2)   The RBA has applied under section 73 of the Privacy Act for a public interest determination in relation to the acts and practices set out in section 7 below.

(1)   The disclosure of the personal information about an individual to an overseas recipient by the RBA breaches or may breach APP 8.1 where:

(a)   the RBA, as authorised to carry out banking business under the Banking Act 1959 and the Reserve Bank Act 1959, is processing an international money transfer (IMT) on behalf of one of its customers, and

(b)   in order to process the IMT, the RBA discloses personal information of the individual who is the beneficiary of the IMT (beneficiary) to another financial institution that is not in Australia or an external Territory (overseas financial institution) for the purpose of:

(i)      remitting the relevant funds to the beneficiary’s financial institution for payment, or

(ii)      a communication that is necessary to confirm receipt of the funds or to facilitate processing or return of the funds by the beneficiary's financial institution, and

(c)    the RBA does not have a contractual relationship with the overseas financial institution that obliges the overseas financial institution to comply with the APPs other than APP 1.

(2)   The acts and practices set out in subsection (1) above may also lead to the RBA breaching other APPs (other than APP 1) by reason of the application of subsection 16C(2) of the Privacy Act if the overseas financial institution does an act, or engages in a practice, in relation to the information that would be a breach of an APP (other than APP 1) if the APPs applied to that act or practice.

(1)   The public interest in the RBA carrying out the acts and practices set out in section 7 above outweighs to a substantial degree the public interest in adhering to APP 8.1 or the RBA being taken to have breached an APP (other than APP 1) as a result of the acts or practices of the overseas financial institution where:

(a)   it is not practical for the RBA to rely on the exceptions set out at APP 8.2(a) or APP 8.2(b) when disclosing the personal information,

(b)   the other exceptions in APP 8.2 are not relevant to the disclosure of the personal information,

(c)    the RBA takes a number of steps to ensure the security and confidentiality of the personal information disclosed, and

(d)   the nature of the arrangements that support and facilitate the processing of IMTs means that the RBA is not in a position to take additional steps to comply with APP 8.1 before disclosing the personal information.

(2)   For the purpose of paragraph 8(1)(a) above, it may not be practical for the RBA to rely on the exception at APP 8.2(a) when engaging in the acts and practices set out in section 7 due to:

(a)   the potentially large number of overseas locations to which the personal information may be disclosed, and

(b)   the RBA not having any relationship with the beneficiary, or the means to establish that relationship, in order to gain the beneficiary’s consent to the disclosure of the personal information.

(1)   Accordingly, by operation of subsection 72(3) of the Privacy Act, while this public interest determination is in force the RBA is taken not to breach section 15 of the Privacy Act if:

(a)   the RBA breaches APP 8.1 when engaging in the acts and practices set out in section 7 above, or

(b)   an overseas financial institution does an act, or engages in a practice, in relation to the personal information disclosed to it by the RBA in the course of the RBA doing the acts or engaging in the practices set out in section 7 above, that would be a breach of an APP (other than APP 1) if the APPs applied to that act or practice.