OAIC Updates AML/CTF Privacy Guidance: What Records Managers Need to Know
The Office of the Australian Information Commissioner (OAIC) has released updated privacy guidance for organisations operating under the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act, reinforcing key principles around data minimisation, transparency and secure handling of personal information.
The guidance is particularly relevant as AML/CTF reforms expand the scope of the Privacy Act 1988. From 1 July 2026, a broader group of organisations including real estate professionals, legal and accounting services, and dealers in precious metals will be captured under privacy obligations. Earlier changes for existing reporting entities take effect from 31 March 2026.
For Records and Information Managers, the message is clear: only collect personal information that is reasonably necessary, ensure it is well protected, and dispose of it when no longer required. Importantly, the OAIC confirms that retaining full copies of identity documents is not required under AML/CTF obligations and should cease from March 2026 unless mandated by another law.
The guidance also emphasises the need for clear privacy policies and collection notices, alongside strong governance practices to reduce risk, particularly in the event of a data breach.
With increased regulatory scrutiny on excessive data collection and retention, this update highlights the critical role of information management professionals in aligning privacy, compliance and risk mitigation across their organisations.
Organisations are encouraged to review the OAIC’s guidance, Privacy Essentials Checklist, and supporting AUSTRAC resources to ensure a compliant and defensible approach moving forward.