The Office of the Australian Information Commissioner (OAIC) recently issued Privacy agency resource No. 4: Sending personal information overseas to provide agencies some guidance on their obligations under the Australian Privacy Principles (APPs).
The difference between an overseas "use" or "disclosure" of personal information
The specific APPs that apply when personal information is sent overseas depend on whether there has been a "use" or "disclosure" of personal information.
Unfortunately, neither of these terms are defined in the Privacy Act 1988 (Cth). However, the guidance contained in the APP Guidelines draws a distinction based on the degree of control the APP entity retains over the information after it is provided to the overseas recipient.
Despite the guidance, the OAIC recognises that, in some instances, it can be difficult to determine whether the information is being "used" or whether it is being "disclosed". In such cases, the OAIC cautions against drawing too much of a distinction between the two, as an APP entity may still be held accountable for the mishandling of that information by the overseas recipient, regardless of which one it was.
Further, the OAIC notes that the steps an APP entity must take and its accountability may be similar regardless of whether the information is being used or disclosed.
How does the Privacy Act apply to disclosure of personal information overseas?
The key provisions of the Privacy Act that apply in these circumstances are APP 8 and s 16.
Principle 8.1 requires an APP entity to take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the personal information before disclosure. Where an entity discloses personal information to an overseas recipient, it is accountable for the overseas recipient's breach of the APPs (s 16C). However, both of these provisions are subject to exceptions.
What reasonable steps could an APP entity take to comply with APP 8.1?
The OAIC generally expects an APP entity to enter into an enforceable contractual arrangement with the overseas recipient, requiring the recipient to handle the personal information in line with the APPs (other than APP 1), along with taking steps to ensure compliance with those contractual arrangements.
However, where it is not reasonable to enter into an enforceable contractual arrangement, the OAIC expects the APP entity to consider what other steps might satisfy APP 8.1 and to minimise the risk that the personal information will be mishandled by the overseas recipient.
Even if you take "reasonable steps", can you still be held accountable?
Yes. The OAIC states that an APP entity may be liable for the acts or practices of the overseas recipient even when:
- the entity has taken reasonable steps under APP 8.1 and the overseas recipient subsequently does an act or practice that would breach the APPs
- the overseas recipient discloses the individual's personal information to a subcontractor and the subcontractor breaches the APPs, or
- the overseas recipient accidentally breaches the APPs.
However, the OAIC will consider the reasonable steps taken by the entity to comply with APP 8.1 when resolving the matter.
How does the Privacy Act apply to uses of personal information overseas?
If an APP entity retains enough control over the information, it may be considered to be "using" that information. For example, in the case of an overseas cloud service provider, where the information is provided for the limited purpose of performing the services of storing and accessing (for the entity) personal information, there is a binding contract between the parties that:
- limits the provider's handling of the information to these purposes
- requires any subcontractors to agree to the same obligations, and
- gives the entity effective control over how the personal information is handled by the provider.
In such a case, an APP entity may still be held accountable for the overseas recipient's mishandling of the information, as it is considered to still hold the information even though the information is physically located overseas. For example, the entity:
- may breach APP 6 (requiring an entity to only use or disclose personal information for the primary purpose for which it was collected), if there is an unauthorised use or disclosure of the information
- may breach APP 11.1 if it has not taken reasonable steps to ensure the security of the information in the overseas recipient's possession, and
- must still comply with APPs 12 and 13 (requirements of access and correction of personal information), even though the information is in the overseas recipient's possession.
What this means for agencies
The applicability of the Privacy Act to overseas service providers is a complicated area. While there is still a long way to go to provide certainty, the guidance by the OAIC is welcome and indicates that it is willing to grapple with the complexities of the problems.
We will continue to keep you informed of developments in this area.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.