The Privacy Commissioner has recently released a new resource for businesses relating to sending personal information overseas. Whilst the resource does not add to the information in the Australian Privacy Principles (APP) Guidelines it does reinforce some important points for Australian businesses who engage overseas service providers.

The publication briefly discusses how an overseas 'use' of personal information is distinguished from a 'disclosure', how the Privacy Act applies to the two different scenarios and what reasonable steps an organisation could take to comply with various obligations.

The question of whether the information has been 'disclosed' has centred on whether the Australian organisation retains effective control of that information. You might think that this question could be answered by looking at the practical reality but the guidance provided in the publication unfortunately takes a more limited view saying 'there are relatively limited circumstances' in which an organisation retains such a degree of control.

The example provided talks about a binding contract between the parties that:

  • requires the overseas entity to only handle the information for the limited purpose of performing the services of storing information;
  • requires any subcontractors to agree to the same obligations;
  • gives the Australian organisation effective control of how the information is handled by the overseas entity.

Importantly, the Commissioner twice makes the following statement: 'the practical effect of distinguishing a 'use' from a 'disclosure' should not be overstated.' This may be true in the case of some APPs, for instance even if the Australian organisation hasn't disclosed the information they may still be accountable for mishandling of that information by the overseas entity, on the basis it would still be considered to 'hold' the information.

However, there are APP's that do not apply where an organisation does not 'disclose' personal information. For example, APP 1.4(f) and (g) require an organisation to include information about overseas disclosures in its privacy policy which is made publicly available, and there are also notification requirements that apply where there is disclosure (as opposed to use). In our experience, this is an important distinction. As stated in the publication, there is a community concern regarding sending personal information overseas and some organisations are therefore sensitive to disclosing this information.

In summary, this publication presents a rather onerous view of compliance with an organisation's obligations when sending personal information overseas. It even leaves out discussion of the exceptions to compliance with APP8.1 (the requirement to take reasonable steps to ensure the overseas recipient complies with the APPs) instead making a brief reference back to the guidelines for further discussion. This issue therefore remains to be fully tested, but until then the message is that the buck stops with the Australian organisation, and the protection of the personal information of Australians remains the paramount consideration.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.