In our last Intellectual Property Update, we explored some of the new and updated obligations and duties imposed on entities, by the Office of the Australian Information Commissioner (OAIC), in the second tranche of the draft Australian Privacy Principles Guidelines (Guidelines). The draft Guidelines deal with Australian Privacy Principles (APPs) 6 to 11 which:
assist organisations in determining when they can make use of and disclose the personal information they have collected;
encourage organisations to refrain from using personal information for direct marketing purposes (unless permitted to do so where an exception applies) and to develop ”opt-out” mechanisms for consumers and/or their customers;
oblige organisations who operate on a global scale to observe the APPs overseas and to ensure their contractors/agents do the same;
prevent organisations from making use of or disclosing government related identifiers; and
ensure organisations keep their personal information collection up-to-date, accurate and secure.
One of the new obligations contained in the APPs and explained by the Guidelines is APP 8, which requires organisations to observe the APPs at home and abroad. It is essential that organisations understand the extent of their duties pursuant to the APPs and the mechanisms they can introduce or develop to facilitate these newfound and extensive responsibilities.
Understand and observe the APPs at home and abroad
A new feature of the Privacy Act 1988 (Cth)) (Privacy Act) is APP 8, which imposes significant obligations on and expands the potential liability of organisations who disclose personal information to overseas recipients. Organisations must take reasonable steps to ensure that an overseas recipient does not breach the APPs in relation to that information (APP 8.1); and will be held accountable for any acts or practices of the overseas recipient to the information that would breach the APPs (section 16C of the Privacy Act).
An overseas recipient is a person who receives personal information from an organisation and who is not in Australia or an external territory, not the organisation disclosing the personal information, and not the individual to whom the information relates.
So when does APP 8 apply?
An organisation needs to bear in mind the application of APP 8 on two levels – firstly, where it is communicating personal information to overseas entities and secondly, where it has empowered and enabled an overseas entity to deal with the personal information it possesses and/or has collected.
The Guidelines, suggest that an organisation, on an individual level, will be held to have “disclosed” personal information to an overseas entity where it:
shares personal information with an overseas recipient;
discusses personal information at an international conference or meeting abroad;
sends a hard copy document or email containing an individual’s personal information to an overseas client; and
publishes the information on the internet, regardless of whether it intended to do so or not.
The potential liability of an organisation may be enlivened where it engages a contractor located overseas to perform services on its behalf (for example, where an Australian organisation relies on an overseas arm of its company to provide certain services and it provides that arm with applicable information so that it can perform those services). The provision of any personal information to the contractor is a ”disclosure” and before disclosing that information the organisation will need to ensure that the contractor will not breach the APPs in relation to that information. The organisation will also need to ensure that any subcontractors employed by the contractor do not breach the APPs in relation to that information.
An organisation may be able to disclose information to an overseas recipient without complying with APP 8 if:
it reasonably believes that overseas recipient in question is bound by a law or policy which requires it to protect and maintain personal information in a manner which is substantially similar to the APPs;
the organisation has informed the individual in question that if they consent to the disclosure of their personal information, APP 8 will not apply and the individual then consents to the disclosure;
the organisation is required to do so “by or under an Australian law or a court/tribunal order”;
the organisation is “required or authorised to do so by or under an international agreement”; and
the organisation and/or its overseas recipient is required to do so under an applicable foreign law.
What reasonable steps can I or my organisation take?
In order to determine what steps will be appropriate or necessary for your organisation to take in order to comply with APP 8, it is necessary for you to consider the nature of the personal information being handled, the nature of the relationship between your organisation and the overseas recipient in question, the risk of harm to one of your customers and/or a consumer if that information is mismanaged, whether the overseas recipient has “information protection” protocols in place and how practical it is for your organisation to take those steps.
Ensure your security system is fit for purpose: The Guidelines stipulate that an organisation will not be held to have disclosed personal information where a third party entity (such as Anonymous or other illegal groups) manages to breach the organisation’s security system and gain unauthorised access to personal information. An organisation may be held to have breached APP 11 if it fails to take reasonable steps to protect the personal information it holds or has collected from unauthorised access. Accordingly, organisations should ensure they take every necessary step to set up the most secure security system possible to protect their personal information collections.
Enter into a privacy agreement with the overseas recipient: In order to make it easier for your organisation to ensure that the overseas recipient you are dealing with complies with the APPs, it is advisable that your organisation enter into a contractual arrangement with the overseas recipient. Such a contractual arrangement should require the overseas recipient to handle any personal information it receives in accordance with the APPs. For example, any such contract may:
stipulate the types of personal information to be disclosed and the purpose of disclosure;
require the overseas recipient to enter into a similar privacy arrangement with any subcontractor it engages;
provide for the setting up of a complaint handling process for privacy complaints; and
set up a process to be followed where the overseas recipient has suffered a data breach (for whatever reason).
Where to from here?
Although the Guidelines will not have legislative force, they will be used actively by the OAIC in determining how to exercise their powers. Accordingly, it is advisable that your organisation:
develop an understanding of what personal information it can and cannot disclose;
provide individuals with opt-out mechanisms and comply with any opt-out requests; and
ensure that its overseas associates/agents comply with the APPs.
Lavan Legal comment
You need to review your internal policies regarding the disclosure of personal information to overseas entities and to develop a procedure to ensure that your overseas associates observe the APPs. All of this needs to be done before the new privacy laws come into force on 12 March 2014. Don’t leave it too late.
Lavan Legal can assist you in developing appropriate internal policies for the handling, use and/or disclosure of personal information and/or in identifying any problems with your existing privacy protections and policies.