The Australian Privacy Principles (APPs) are the cornerstone of the privacy protection framework in the Privacy Act. There are 13 APPs, and they govern the standards, rights and obligations around an APP Entity’s collection, use, handling, storage, access, and disclosure of Personal Information. A breach of an APP is considered under the Privacy Act as an interference with the privacy of an individual and can lead to regulatory action and penalties.
One of the most important is APP8, given our interconnected world and how often personal information is transferred outside Australia. Let's explore what your organisation needs to know.
Risk Management in Overseas Data Transfer
Before an organisation can transfer or disclose personal information to an Overseas Recipient (someone outside Australia), the organisation must take reasonable steps to ensure that the Overseas Recipient does not breach any of the APPs, UNLESS one of the following exceptions applies:
The Overseas Recipient is likely to be subject to a law in a way that is at least, substantially similar to the way the personal information would be protected under the APPs and the individual to whom the personal information relates has a pathway to take action to enforce the protection of their information (for example, the Overseas Recipient is based in the European Union and the personal information is protected by the General Data Protection Regulation).
The organisation has expressly informed an individual that their personal information will be shared with the Overseas Recipient AND the individual has consented to their personal information being shared (it is not acceptable to vaguely include this in any standard terms and conditions that an organisation requires an individual to sign).
The personal information is permitted to be shared with the Overseas Recipient under an Australian law or court/tribunal order.
It is important to note that unless one of these exceptions apply, an organisation will be accountable if the Overseas Recipient mishandles the personal information it receives. See section 16C of the Privacy Act.
Examples of Overseas Disclosure
The following are common examples of where organisations may disclose/share personal information with an Overseas Recipient:
Selling personal information
Outsourcing tasks to organisations or individual offshore (like a virtual assistant) that involves the handling of personal information
Reveals personal information at an international conference or meeting overseas
Overseas customer support or support from other professional service providers (like outsourced IT or marketing)
Situations involving international supplies (for example an organisation engaged in drop shipping where the supplier is an Overseas Recipient) and
Publishes personal information on the internet (whether intentionally or not), and it is accessible to an overseas recipient
Cloud Services Exemptions
In limited circumstances personal information can be provided to an Overseas Recipient, without having to comply with APP 8 if the organisation does not release the subsequent handling of personal information from its effective control.
For example, where an organisation provides personal information to a cloud service provider located overseas for the limited purpose of performing the services of storing and ensuring the entity may access the personal information (but there is a binding contract in place that gives the organisation full control over how the personal information is handled by the Overseas Recipient). These circumstances are considered a ‘use’ instead of ‘disclosure’ of personal information, and APP 8 only relates to disclosure to Overseas Recipients.[1]
Reasonable Steps
If no exceptions apply to an organisation then the organisation must take reasonable steps to comply with APP8. However, what is considered ‘reasonable steps’ may depend on the size of the organisation, the nature of the industry, where the personal information is being disclosed and how the personal information is being disclosed.
Examples of some ‘reasonable steps’ to ensure an Overseas Recipient complies with APP8 are as follows:
Include data protection clauses in contracts with the Overseas Recipient, which would include a requirement to comply with the Privacy Act and the APPs (amongst other things like only using the information for the authorised purpose and having data notification process in place).
Restrict data use and onward transfers by limiting the type and amount of personal information shared, impose restrictions on further disclosure by Overseas Recipients.
De-identify the information where possible (for example if a financial advisor sends notes containing personal information to an overseas virtual assistant to type of their statement of advice, then they might replace the obvious personal identifying information such as a name and address with a code of numbers. Once the state of advice comes back the financial advisor may substitute the code of number back with the original information).
Make enquiries and conduct a due diligence to assess the privacy practices of the Overseas Recipient before sharing any personal information.
Encrypt data in transit and at rest to protect is from authorised access.
Implement access controls to limit who can access the information within the Overseas Recipient’s organisation.
Establish clear internal policies and procedures for sharing personal information with Overseas Recipients and ensure staff understand their responsibilities.
Train staff on the internal policies and procedures and ensure they understand the risks with overseas transfers of data.
Maintain records of overseas disclosures of personal information, including the details of the recipient, purpose of the disclosure and safeguards implemented.
Regularly assess the Overseas Recipient’s compliance with the contractual data protection clauses and undertake periodic audits of their practices and security measures.
A specialised cybersecurity consultant could assist with developing specific technical controls and measures for your organisation when sharing personal information with an Overseas Recipient.
It is recommended that you seek legal advice if you are unsure how to comply with APP8 or if you are unsure if an exception applies to your organisation.
This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.
[1] However, the organisation must ensure that they use a reputable cloud service provider (for example AWS) that stores data overseas and ideally in countries with similar privacy laws to Australia because if that data is accessed (i.e. hacked) the organisation is still liable under the Privacy Act.