From 12 March 2014, universities across Australia will have to comply with the new Australian Privacy Principles (APPs). The APPs have been designed to bring together the privacy principles applicable to Commonwealth Government agencies and many private bodies under the Privacy Act 1988 (Cth) (Privacy Act). Amendments to the Higher Education Support Act 2003 (Cth), and the operation of various guidelines relating to Commonwealth Government funding, will also require adherence to these principles by universities in the way they deal with various forms of personal information.

The APPs go beyond the obligations imposed on universities by the current Information Privacy Principles in a variety of ways. The APPs place obligations on universities to have clear and accessible policies relating to the handling of personal information. Universities engaged in direct marketing have to be concerned with any expectations created when the information was collected, whether consent to direct marketing can be obtained and how individuals can opt out. Obligations concerning government-related identifiers are also included, and there are generally more onerous requirements relating to the collection of personal information and the de-identification or destruction of personal information when no longer needed. This article focuses on the implications of the APPs on the use of cloud services for storage and access and cross-border disclosure of personal information.

Cross-border disclosure

One of the most important elements of the APPs is their explicit concern with cross-border disclosure of information. APP 8 will generally require universities to take reasonable steps to ensure that personal information provided to overseas entities will be handled in line with the APPs. Along with other changes to the Privacy Act, this principle seeks to achieve greater consistency with the general accountability approach adopted in the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and other international privacy statements and agreements. Overseas universities and service providers are likely to be aware of the range of obligations involved with the sharing of personal information placed on Australian universities by the APPs.

Under APP 8, when disclosing information to an entity not in Australia, even if the entity is related to the university, the university must take reasonable steps to ensure that the overseas entity will not breach the APPs in relation to the information. It may not always be clear when information is being disclosed, as opposed to merely used by the university. This will depend on:

  • the degree of control over the information that is retained by the university, including the ability to access, change or retrieve the information, and
  • the extent to which the use of the information by other entities is restricted, including limitations on the purposes for which the information can be used and the access and security measures required.

Draft guidelines issued by the Australian Information Commissioner, which are available on the Commissioner's website, suggest a cloud service provider contractually restricted to the storage and management of information may not involve disclosure. In such circumstances, however, the university will need to ensure that the personal information it continues to hold is reasonably protected from unauthorised disclosure under APP 11.

Contracting for services provided by overseas contractors will therefore generally require a range of enforceable obligations to comply with the APPs being included. However, it is not necessary under APP 8 to take such steps where the university reasonably believes that individuals are able to protect the privacy of their personal information through a law or scheme binding on the overseas entity that is, in effect, substantially similar overall to the protection offered by the APPs. Similarly, individuals can consent to the disclosure of their personal information to an overseas entity after being informed that their information might not be protected under the APPs. Disclosure is also permitted without taking reasonable steps in limited situations involving health and safety, suspected unlawful or serious misconduct, or locating a missing person.

Other relevant privacy principles

There are a number of APPs that relate to the overseas use or disclosure of personal information. Under APP 1, a university's privacy policy should refer to the likely disclosures to overseas recipients. When collecting personal information, universities should provide notice in line with APP 5 that the information could be used overseas or disclosed to overseas recipients. This notice should include the possibility that foreign laws might require further use or disclosure of the information without necessarily complying with the privacy principles. There is an obligation to ensure that any overseas use or disclosure of personal information is sufficiently related to the primary purpose for which it is collected or is otherwise permitted under APP 6.

Lessons for universities

Universities need to pay close attention to privacy considerations when considering contracting for the provision of services or functions that will involve personal information being used or disclosed outside of Australia, including:

  • the sensitivity of any personal information and any harm caused if privacy of the information is not maintained
  • clearly identifying the purposes for which personal information is being made available
  • understanding what existing policies and practices have been adopted by the overseas entity with respect to privacy, and any privacy laws they are subjected to
  • identifying what additional steps or protections might be required to ensure compliance with the APPs, including any technical and procedural safeguards that might be needed
  • ensuring that any limitations on the use and disclosure of personal information extends to any subcontractors or other parties provided access
  • ensuring that the university continues to have sufficient access to the information to provide access to others, make modifications or attach notices as might be required
  • providing for appropriate complaint handling procedures, and
  • providing for how the information is to be dealt with when no longer needed or at the termination of the agreement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.