Consistent with its advices on commencement of the major amendments to the Privacy Act 1988 (Cth), the Office of the Australian Information Commissioner has published two important agency resources in recent times worthy of note. These relate to protection of privacy of Tax File Number information and the sending of private information overseas. Partner, Stephen Hughes, discusses.
The Tax File Number (TFN) Resource provides a number of recommended steps agencies (including employers) should consider to protect TFN information in compliance with the separate TFN Rule.
Under the TFN Rule, a “TFN recipient” covers any person, agency, organisation or other entity in possession or control of a record that contains TFN information. The TFN Rule applies to the TFN information of individuals only, which is information that connects a TFN with that individual’s identity. The TFN Rule provides that a TFN recipient must not record, collect, use or disclose TFN information unless permitted or required to do so by law.
The TFN Resource reinforces that only a limited number of agencies and organisations are legally allowed to ask for and receive TFN information (a list of authorised/ lawful TFN recipients is maintained by the Australian Tax Office and Australian Prudential Regulation Authority ). It is also made clear that there is no legal requirement for individuals to provide their TFN, even if asked by an authorised TFN recipient, although there may be significant consequences of not doing so (referred to as the “voluntary quotation principle”).
If an authorised TFN recipient requests an individual’s TFN, the individual must be informed of the legislation that authorises the collection of the TFN, the purpose of the collection and that while it is not an offence to refuse to supply the TFN there could be adverse consequences for the individual flowing from the refusal. Additionally, steps should be taken to ensure the collection does not unreasonably intrude on the individual’s personal affairs and to only request and collect to the extent that it is relevant and necessary.
The TFN Resource also indicates that under the TFN Rule, a TFN recipient must not record, collect, use or disclose a TFN unless it is specifically permitted under legislation, and that if an individual happens to provide their TFN for a purpose not connected with such legislation then the individual has the right to have the TFN removed from the provided information.
An individual's TFN information can only be used or disclosed for a legislated purpose, such as for the production of a group certificate. TFNs cannot be used, for example, to confirm an individual's identity.
Further, under the TFN Rule, TFN recipients must take reasonable steps to:
- safeguard TFN information from unauthorised access, use, modification, disclosure or loss regardless of how the information is stored
- restrict access to records containing TFN information to appropriate staff.
Reasonable safeguarding steps might include:
- review of governance, culture and training regimes
- introduction of privacy and personal information security steps and strategies
- introduction of clear and specific procedures for decisions related to personal information security with high levels of accountability
- implementation of specific training on TFN information security
- introduction of security access to certain levels of information (such as TFN information)
- introducing access/ login trails and conducting regular audits to monitor access
- enforcing password complexity, rotation and avoidance of common access codes
- conducting hardware and software audits and upgrades to ensure that firewalls, anti-virus software and programs are at fully secure status
- regular audit of internet event logs (for evidence of potential hacking attempts)
- enforcing physical security (locked offices and cabinets) where TFN information is stored in hardcopy.
TFN recipients, when required to do so, must also take reasonable steps to permanently destroy or de-identify TFN information when they are no longer required by law to retain the information or if the individual has requested destruction or de-identification.
In relation to the sending of personal information overseas, the Privacy Business Resource 8 provides assistance to organisations subject to the Australian Privacy Principles (APP) to comply with their obligations. The key points of the Privacy Business Resource are:
- The APPs that apply when sending personal information overseas partly depend on whether it is a ‘use’ or a ‘disclosure’ of the information.
- Where it is a disclosure, the APP entity must take reasonable steps to ensure the overseas recipient complies with the APPs, and will remain accountable if the overseas recipient breaches the APPs (subject to exceptions).
- Where it is a use, the APP entity may still be considered to 'hold' the personal information, even though the information is physically located overseas. For this reason, the entity must comply with the APPs that apply to an APP entity that holds personal information, and will be held accountable for a breach of those APPs if they are not complied with.
- These obligations mean that, in practice, the steps that an APP entity takes and their accountability when sending personal information overseas can be similar regardless of whether the information is being used or disclosed.
- For this reason, where it is unclear whether the personal information is being used or disclosed, the best approach is to take reasonable steps to ensure the APPs are complied with.
It is to be noted that the Privacy Act does not define either of the terms “use” or “disclosure”. However the APP Guidelines and this Resource indicate the distinction is to be drawn from the degree of control the APP entity (the Australian entity subject to the Privacy Act and APPs) retains over the information after it is exported. The distinction may however be somewhat immaterial if the Office of the Australian Information Commissioner (OAIC) comes to the conclusion that the information has been mishandled by the overseas recipient and determines to hold the APP entity liable.
Despite the guidance, the OAIC recognises that, in some instances, it can be difficult to determine whether the information is being "used" or whether it is being "disclosed". In such cases, the OAIC cautions against drawing too much of a distinction between the two, as an APP entity may still be held accountable for the mishandling of that information by the overseas recipient, regardless of which one it was.
“Cloud computing” is now a common manner of storing all digital information by public agencies and private organisations/ businesses, including APP entities. Where personal information is provided to an overseas cloud service provider (CSP) for the limited purpose of storing the information and allowing the information to be accessible, the usual terms of cloud storage use ought to:
- restrict the CSP's handling of the information to that limited purpose
- require any CSP subcontractors to contract to the same obligations
- give the APP entity effective control over the personal information.
In such a case, the APP entity may still be accountable for any mishandling of the personal information by the CSP, as it would still be considered to be holding the information even though the personal information is actually located on a computer server situated outside of Australia.
APP 8 and section 16 of the Privacy Act are the key legislated provisions that apply to the sending of personal information overseas.
Principle 8.1 requires an APP entity to take reasonable steps to ensure the overseas recipient does not breach the APPs in respect of personal information disclosed to it. What constitutes reasonable steps depends on the circumstances, but it appears that the OAIC at least expects that the APP entity has entered into enforceable contractual arrangements which allow the APP entity to handle personal information in accordance with the APPs and to monitor compliance with those contractual requirements. It is important to note however that even where reasonable steps have been taken by the APP entity, it remains liable for any breach of the APPs by the overseas recipient or its contractors (although the extent of the steps taken are to be considered in the determination of penalty).
To highlight the potential risks, it should be noted that the APP entity might be liable:
- if there is an unauthorised use or disclosure of personal information
- if it has not taken reasonable steps to ensure the security of the personal information in the possession of the overseas recipient.