Most Read Contributor in Australia, September 2016
The Privacy Commissioner has recently released a new resource
for businesses relating to sending personal information overseas.
Whilst the resource does not add to the information in the
Australian Privacy Principles (APP) Guidelines it does reinforce
some important points for Australian businesses who engage overseas
The publication briefly discusses how an overseas 'use'
of personal information is distinguished from a
'disclosure', how the Privacy Act applies to the two
different scenarios and what reasonable steps an organisation could
take to comply with various obligations.
The question of whether the information has been
'disclosed' has centred on whether the Australian
organisation retains effective control of that information. You
might think that this question could be answered by looking at the
practical reality but the guidance provided in the publication
unfortunately takes a more limited view saying 'there are
relatively limited circumstances' in which an organisation
retains such a degree of control.
The example provided talks about a binding contract between the
requires the overseas entity to only handle the information for
the limited purpose of performing the services of storing
requires any subcontractors to agree to the same
gives the Australian organisation effective control of how the
information is handled by the overseas entity.
Importantly, the Commissioner twice makes the following
statement: 'the practical effect of distinguishing a
'use' from a 'disclosure' should not be
overstated.' This may be true in the case of some APPs, for
instance even if the Australian organisation hasn't disclosed
the information they may still be accountable for mishandling of
that information by the overseas entity, on the basis it would
still be considered to 'hold' the information.
However, there are APP's that do not apply
where an organisation does not 'disclose' personal
information. For example, APP 1.4(f) and (g) require an
organisation to include information about overseas disclosures in
also notification requirements that apply where there is disclosure
(as opposed to use). In our experience, this is an important
distinction. As stated in the publication, there is a community
concern regarding sending personal information overseas and some
organisations are therefore sensitive to disclosing this
In summary, this publication presents a rather onerous view of
compliance with an organisation's obligations when sending
personal information overseas. It even leaves out discussion of the
exceptions to compliance with APP8.1 (the requirement to take
reasonable steps to ensure the overseas recipient complies with the
APPs) instead making a brief reference back to the guidelines for
further discussion. This issue therefore remains to be fully
tested, but until then the message is that the buck stops with the
Australian organisation, and the protection of the personal
information of Australians remains the paramount consideration.
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).