Does your business send personal information about individuals overseas? Are you aware of your obligations when doing so?
The relevant framework for the cross-border disclosure of personal information is found in the Australian Privacy Principles (APPs). The APPs require that you take reasonable steps to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs. In many circumstances, the APPs will deem your business liable if the recipient mishandles the information.
Who is an overseas recipient?
An overseas recipient is an entity that:
- receives personal information from your business;
- is not in Australia;
- is not the same entity as your business; and
- is not the individual to whom the personal information relates.
This means that information sent to one of your own overseas offices will not be a disclosure to an overseas recipient, but information sent to an overseas related body corporate will be.
What is ‘disclosure’ of personal information?
You will ‘disclose’ personal information if you make it accessible to others outside your entity and release the subsequent handling of that information from your effective control.
This may be in the form of a proactive release, a release in response to a specific request, an accidental release or an unauthorised release by an employee. For example, you might reveal personal information at an international conference, send a hard copy document or email containing an individual’s personal information to an overseas recipient or publish personal information on the internet where it is accessible to an overseas recipient.
In situations where your business engages an overseas contractor to perform services on your behalf (such as word processing, logistics or IT support), the provision of any personal information to that contractor will, in most circumstances, be a disclosure.
What is ‘use’ of personal information?
Generally, you ‘use’ personal information when you handle and manage it within your effective control. For example, you use personal information when accessing and reading it, searching records for it, making a decision based on it or passing it from one part of the entity to another.
If you were to provide personal information to an overseas recipient via a server in a different overseas location, there would not usually be disclosure until the information reaches the overseas recipient. This means that routing personal information, in transit, through servers located outside Australia, would usually be considered a ‘use’.
In limited circumstances, giving personal information to a service provider or contractor may be a ‘use’ of that information rather than a disclosure. For the release to be a ‘use’, the service provider will usually have to have a binding contract with your business that restricts the service provider from handling the personal information in any way other than the limited circumstances for which the personal information was released.
Why does the difference matter?
For a number of APPs, it is not necessary to distinguish between a ‘use’ or ‘disclosure’ as the same obligations apply both. Other APPs, in particular APP 8 (which governs the cross-border disclosure of personal information) only applies to ‘disclosure’ and not to its ‘use’, therefore it’s important to know how to distinguish the two for this purpose.
What are the consequences of disclosing personal information overseas?
If you disclose personal information to an overseas recipient, you will be held accountable, in certain circumstances, for a subsequent act or practice by the recipient in relation to the information. If the overseas recipient engages in conduct that would breach the APPs (if they applied to the recipient), the business that disclosed the personal information to the overseas recipient is deemed to have engaged in that conduct and to have breached the APPs.
This may be the case even where:
- your business has taken reasonable steps to ensure the overseas recipient complies with the APPs and it subsequently engages in conduct that would breach the APPs;
- the overseas recipient discloses the personal information to a subcontractor and the subcontractor breaches the APPs; and
- the overseas recipient inadvertently braches the APPs in relation to the information.
These consequences are alarming and, in most cases, outside your control once the information has been disclosed to the overseas recipient. Therefore, it’s essential to ensure that precautions are taken and personal information is only disclosed to overseas entities in situations where you are confident with its subsequent handling.