Publication date: 13 June 2019

The aim of this resource is to assist organisations and agencies to understand their obligations under the Australian Privacy Principles (APPs) when sending personal information overseas. This resource supplements, and should be read together with the full text of the APPs, section 16C of the Privacy Act 1988 and the Office of the Australian Information Commissioner’s (OAIC) APP Guidelines.

Key points

  • The APPs that apply when sending personal information overseas partly depend on whether it is a ‘use’ or a ‘disclosure’ of the information.
  • Where it is a disclosure, the organisation or agency must take reasonable steps to ensure the overseas recipient complies with the APPs, and will remain accountable if the overseas recipient breaches the APPs (subject to exceptions).
  • Where it is a use, the organisation or agency may still be considered to 'hold' the personal information, even though the information is physically located overseas. For this reason, the entity must comply with the APPs that apply to an organisation or agency that holds personal information, and will be held accountable for a breach of those APPs if they are not complied with.
  • These obligations mean that, in practice, the steps that an organisation or agency takes and their accountability when sending personal information overseas can be similar regardless of whether the information is being used or disclosed.
  • For this reason, where it is unclear whether the personal information is being used or disclosed, the best approach is to take reasonable steps to ensure the APPs are complied with.

Background

The 13 APPs in Schedule 1 of the Privacy Act set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information. They apply to Australian Government agencies and many private sector organisations.

The privacy protections that apply when sending personal information overseas reflect a central object of the Privacy Act — facilitating the free flow of information across national borders while ensuring that the privacy of individuals is respected (s 2A(f)). This recognises the global interdependence of today’s economy, underpinned by the flow of information, including personal information, across national borders. At the same time, cross-border transfers of personal information are known to be a source of significant community concern. The framework provided by the Privacy Act addresses the balance between this community concern and the need to send personal information overseas for legitimate business purposes.

The APPs do not prevent an organisation or agency from sending personal information overseas. However, organisations or agencies will need to carefully consider steps that may need to be taken to comply with the APPs. This resource explores some key privacy concepts and issues that will assist entities to understand and comply with the APPs when sending personal information overseas.

How is an overseas ‘use’ of personal information distinguished from an overseas ‘disclosure’ of personal information?

Where an organisation or agency sends personal information overseas, the APPs that apply partly depend on whether this is taken to be a ‘use’ or a ‘disclosure’ of personal information.

The terms ‘use’ and ‘disclosure’ are not defined in the Privacy Act. The APP guidelines include the following guidance about these terms:

  • ‘Use’ — generally, an organisation or agency uses personal information when it handles and manages that information within the organisation or agency’s effective control.
  • ‘Disclosure’ — an organisation or agency discloses personal information when it makes it accessible or visible to others outside the organisation or agency and releases the subsequent handling of the personal information from its effective control.

The distinction between a ‘use’ and a ‘disclosure’ depends on the degree of control the organisation or agency has over the information after it is provided to the overseas recipient. Some different obligations apply depending on whether an organisation or agency ‘uses’ or ‘discloses’ personal information. The obligations that apply are discussed in more detail below. For further guidance on the meanings of ‘use’ and ‘disclosure’, see Chapter B (Key Concepts), APP guidelines. Chapter 8 (APP 8 — cross-border disclosure of personal information) of the APP guidelines contains further guidance and examples of where provision of information to an overseas contractor is a use or disclosure.

However, the OAIC recognises that in some instances, it can be difficult to determine whether the information is being ‘used’, or whether it is being ‘disclosed’. In such cases, the practical effect of distinguishing a ‘use’ from a ‘disclosure’ should not be overstated. Whether an organisation or agency sends personal information to an overseas recipient as a 'use' or as a ‘disclosure’, it may still be held accountable for mishandling of that information by the overseas recipient. In practice, the steps that an organisation or agency takes and their accountability when sending personal information overseas can be similar regardless of whether the information is being used or disclosed. For this reason, where it is unclear whether the personal information is being used or disclosed, the best approach is to take reasonable steps to ensure the APP are complied with. An organisation or agency that sends personal information overseas may be liable if the personal information is mishandled.

How does the Privacy Act apply where an organisation or agency ‘discloses’ personal information overseas?

APP 8 and s 16C apply when an organisation or agency discloses personal information overseas. They do not apply where an organisation or agency retains such a degree of control over the information, that it is considered to be ‘using’ the information

APP 8.1 provides that before an organisation or agency discloses personal information about an individual to an overseas recipient, the organisation or agency must take reasonable steps to ensure that the recipient does not breach the APPs in relation to that information. Where an organisation or agency discloses personal information to an overseas recipient, it is accountable for an act or practice of the overseas recipient that would breach the APPs (s 16C). However, there are exceptions to the requirement in APP 8.1 and to the accountability provision in s 16C.

For further guidance on APP 8 and s 16C, see Chapter 8 of the APP Guidelines.

Other APPs that also apply when an organisation or agency discloses personal information overseas include:

  • APPs 1.4(f) and (g) requiring certain information to be included in an organisation or agency’s APP Privacy Policy about likely overseas disclosures
  • APPs 5.2(i) and (j) requiring reasonable steps to be taken to notify an individual or ensure awareness of certain matters about likely overseas disclosures, at or before the time an organisation or agency collects personal information
  • APP 6, which requires an organisation or agency to only use or disclose personal information it holds for the primary purpose for which it was collected or for a related (or in the case of sensitive information, directly related) secondary purpose that is within the individual’s reasonable expectation, unless an exception applies

If an organisation or agency takes reasonable steps to comply with APP 8, can it still be held accountable under section 16C?

Yes. An organisation or agency may be liable for the acts or practices of the overseas recipient even when:

  • the organisation or agency has taken reasonable steps under APP 8.1 to ensure the overseas recipient does not breach the APPs, and the overseas recipient subsequently does an act or practice that would breach the APPs
  • the overseas recipient discloses the individual’s personal information to a subcontractor and the subcontractor breaches the APPs
  • the overseas recipient accidentally breaches the APPs in relation to the information

Exceptions are discussed in Chapter 8 of the APP Guidelines.

When resolving matters brought to its attention under s 16C, the OAIC will take account of the reasonable steps taken by the organisation or agency to comply with APP 8.1.[1] The OAIC’s Privacy Regulatory Action Policy outlines a range of other matters that the OAIC will take into account in deciding when to take privacy regulatory action, and what action to take.

What reasonable steps could an organisation or agency take to comply with APP 8.1?

It is generally expected that an organisation or agency will enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs (other than APP 1), and that it will take steps to ensure compliance with those contractual arrangements.[2] See Chapter 8 of the APP guidelines for a discussion of the terms this contract may include.

However, the steps that are reasonable under APP 8 will depend on factors that include:

  • the sensitivity of the information
  • the possible adverse consequences for an individual if the information is mishandled
  • the organisation or agency’s relationship with the overseas recipient
  • existing technical and operational safeguards
  • the practicability of particular steps, including time and cost involved

Where, having regard to the factors outlined above, it is not reasonable to enter an enforceable contractual arrangement requiring the overseas recipient to comply with all the APPs, an organisation or agency should consider what other steps might satisfy APP 8.1, with a view to minimising the risk that the personal information will be mishandled by the overseas recipient. Such steps should focus on ensuring compliance with those APPs assessed to be of greatest privacy risk in the circumstances, and might include:

  • enforceable contractual arrangements that specify:
    • the purpose/s for which the overseas recipient and any subcontractors are permitted to use or disclose the personal information — noting that APP 6 outlines when an organisation or agency may use or disclose personal information
    • the minimum technical and organisational measures that will apply to ensure the security of the personal information overseas — noting that APP 11 requires an organisation or agency to take active measures to ensure the security of personal information it holds. For examples of steps and strategies which may be reasonable for an organisation or agency to take to secure the information, see the Guide to Securing Personal Information: ‘Reasonable steps’ to protect personal information
    • agreed procedures for providing access to personal information on request, and for making any necessary corrections — noting that APPs 12 and 13 require an organisation or agency to give access to, and correct, an individual’s personal information in certain circumstances
    • mechanisms that enable the organisation or agency to monitor compliance with these arrangements
  • assessing whether terms of an enforceable contract with the overseas recipient require the recipient to handle personal information in a manner that is generally equivalent to the APPs.
  • ensuring non-contractual mechanisms are in place that minimise the risk that personal information will be mishandled by the overseas recipient, for example:
    • Verifying that the overseas recipient has in place technical and organisational safeguards (such as security policies and procedures, staff training in personal information security, access restrictions and audit controls) to ensure that the personal information is secure to the standard required under APP 11. See the Guide to Securing Personal Information: ‘Reasonable steps’ to protect personal information.
    • Asking the recipient to provide the organisation or agency with any internal policies and procedures for handling personal information, such as privacy policies, information-security policies and data retention policies, and checking these provide for practices that are generally equivalent to the APP requirements. In making this assessment, organisations or agencies should be aware that a recipient may be able to change the terms of these policies, procedures and systems without notifying, or seeking agreement, from the organisation or agency.

The OAIC recognises that there are complexities in negotiating such contractual terms, as well as in ensuring these kinds of organisational and technical measures are in place. However, the Privacy Act is clear about an organisation or agency’s accountability where an overseas recipient handles personal information in a way that would breach one or more APPs. The result may well be that an organisation or agency assesses some proposed overseas disclosures of personal information to be unwise. For example, an organisation or agency may decide, based on a risk assessment, not to send personal information to an overseas recipient because the risk that the overseas recipient will mishandle the information is not sufficiently mitigated. Similarly, an organisation or agency may decide against sending personal information to a particular overseas location based on its assessment that the privacy, reputational and commercial risks of doing so are considered too high.[3]

How do I know if I am allowed to send personal information to a specific country?

The OAIC does not have a list of countries with substantially similar laws or binding schemes. For more information about factors that may indicate that the overall effect of a law or binding scheme is substantially similar to the APPs, see APP Guidelines, Chapter 8. You may also wish to seek legal advice on this issue.

How does the Privacy Act apply where an organisation or agency ‘uses’ personal information overseas?

In most circumstances, providing personal information to an overseas recipient (including to a contractor located overseas to perform services on the entity’s behalf) is considered a ‘disclosure’, to which APP 8 and s 16C apply. However, in relatively limited circumstances, an organisation or agency might retain such a degree of control over the information that it is considered to be ‘using’ that information. For example, where an organisation or agency provides personal information to a cloud service provider located overseas, this may be a ‘use’ if the information is provided for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, and a binding contract between the parties:

  • requires the provider only to handle the personal information for these limited purposes
  • requires any subcontractors to agree to the same obligations, and
  • gives the organisation or agency effective control of how the personal information is handled by the provider. Issues to consider include whether the organisation or agency retains the right or power to access, change or retrieve the personal information, who else will be able to access the personal information and for what purposes, what type of security measures will be used for the storage and management of the personal information (see also APP 11.1, Chapter 11 of the APP guidelines) and whether the personal information can be retrieved or permanently deleted by the organisation or agency when no longer required or at the end of the contract

Whether or not other examples are considered a ‘use’ or a ‘disclosure’ will depend on the circumstances of each individual case, having regard to the degree of control held by the organisation or agency. However, the practical effect of distinguishing a ‘use’ from a ‘disclosure’ should not be overstated under the Privacy Act. An organisation or agency that sends personal information to an overseas recipient as a 'use', may still be held accountable for mishandling of that information by the overseas recipient, on the basis that it is considered to still 'hold' the information, even though the information is physically located overseas.

A number of APPs apply to an organisation or agency that ‘holds’ personal information (such as APPs 6, 11, 12 and 13). An entity ‘holds’ personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)). This means that one organisation or agency can physically possess personal information that another organisation or agency controls. In such situations, both organisations or agencies will ‘hold’ the information at the same time. If covered by the Privacy Act, each will have separate responsibilities in relation to handling that information under the Privacy Act. In the context where an organisation or agency sends personal information overseas, the organisation or agency that sends the personal information overseas may breach these APPs if the information is mishandled by the recipient. For example, the organisation or agency:

  • may be in breach of APP 6, which requires an organisation or agency to only use or disclose personal information it holds for the primary purpose for which it was collected (exceptions apply), if there is an unauthorised use or disclosure of the information
  • may be in breach of APP 11.1 if it has not taken reasonable steps to ensure the security of the information while it is in the overseas recipient’s physical possession
  • must comply with the requirements in APPs 12 and 13 relating to access and correction of personal information, even though the information is in the overseas recipient’s physical possession

For further discussion of the meaning of ‘holds’, see Chapter B (Key Concepts) of the APP Guidelines.

Does the Privacy Act prevent an organisation or agency from storing or processing personal information in the cloud overseas?[4]

Generally, no.[5] The Privacy Act does not prevent an organisation or agency from engaging a cloud service provider to store or process personal information overseas. The organisation or agency must comply with the APPs in sending personal information to the overseas cloud service provider, just as they need to for any other overseas outsourcing arrangement.

In addition, the OAIC’s Guide to Securing Personal Information: ‘Reasonable steps’ to protect personal information discusses security considerations that may be relevant under APP 11 when using cloud computing.

More information

The following resources may also assist organisations or agencies to understand and comply with the requirements in the Privacy Act when sending personal information overseas:

  • Australian Privacy Principles Guidelines for more information about interpreting and applying the APPs
  • The Privacy Regulatory Action Policy, which explains the OAIC’s overall approach and priorities when using its privacy regulatory powers and making related public communications
  • The Digital Transformation Agency has released the Australian Government Secure Cloud Strategy. The strategy, and practical guidance to assist agencies procure and use cloud services is available at www.dta.gov.au/our-projects/secure-cloud-strategy
  • The Department of Communications, Cloud Computing Regulatory Stock Take, available at www.communications.gov.au, provides an overview of some key areas of Commonwealth regulation that may apply to cloud services.

The information provided in this resource is of a general nature. It is not a substitute for legal advice. Organisations or agencies will need to consider how the Privacy Act applies to their particular situation.

Footnotes

[1] OAIC's Privacy Regulatory Action Policy, paragraph 3.

[2] An agency that discloses personal information to a recipient that is engaged as a contracted service provider must take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an APP if done by that agency (s 95B). Contractual measures taken under s 95B will generally satisfy the requirement in APP 8.1.

[3] Section 13D provides that ‘an act or practice of an organisation done or engaged in outside Australia and an external Territory is not an interference with the privacy of an individual if the act or practice is required by an applicable foreign law’. The effect of this provision is that where an overseas recipient of personal information does an act or practice that is required by an applicable foreign law, this will not breach the Privacy Act and the organisation or agency will not be held accountable. However, section 13D only applies where an overseas recipient has a legal obligation to handle personal information in a particular way, and not where the law only authorises the handling of the information in that way, or is unclear. In addition, an organisation or agency’s customers may have concerns about any unexpected disclosure of their personal information by the overseas recipient, particularly if this is made at the request of a foreign government.

[4] Cloud computing is a term used for delivering hosted services over the internet to remotely store, process and share digital data, Australian Communications and Media Authority, The Cloud – Services, Computing and Digital Data Emerging Issues in Media and Communications, p. 4,  www.acma.gov.au.

[5] However, part IIIA of the Privacy Act, which regulates credit reporting, includes some restrictions on sending information held in the Australian credit reporting system overseas.The Personally Controlled Electronic Health Records (PCEHR) Act 2012, which gives the Commissioner certain regulatory responsibilities in relation to the PCEHR system, prevents certain PCEHR operators and service providers from holding, taking, processing or handling records held for PCEHR purposes outside Australia, and from causing or permitting anyone else to do so.