This is the first of a 3-part series on risks associated with offshoring personal information. In this series, we will discuss:
It is increasingly common for organisations to outsource office functions offshore to reduce overhead costs.
In doing so, organisations face business and regulatory risks, including:
Protecting commercially sensitive and personal information can be particularly difficult for organisations where offshore service providers:
The Australian Privacy Principles (APPs) regulate the handling of personal information by Australian government agencies and private Australian organisations with an annual turnover of more than $3 million.
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion:
This definition captures a large amount of information, including an individual’s:
Private organisations are required to take reasonable steps to protect personal information from:
Before disclosing personal information to an overseas recipient, the private organisation must (unless exceptions apply)[3]:
An organisation does not have to comply with APPs where an individual consents to the disclosure of personal information to an overseas recipient.
Importantly, where a private organisation discloses personal information to an overseas recipient, it is accountable for the overseas recipient’s acts that would breach the APPs[4].
When offshoring office functions, organisations must take reasonable steps to protect personal information from unauthorised access or disclosure. Indeed, it may face fines if it does not comply with the Privacy Act when outsourcing back office functions overseas. How serious can that exposure be, you may ask? Well, it could be liable for penalties of up to $340,000 for individuals, or up to $1.7 million for corporations, per breach[5]. In addition, the Office of the Australian Information Commissioner has the power to take court-enforceable undertakings in relation to privacy interference. That is clearly not a toothless privacy regime.
In Part 2 of this blog, we discuss the offshoring of employee payroll and the regulatory requirements of transferring employee personal information offshore, as well as some handy tips for safeguarding personal information. Stay tuned for this next instalment on wespokelaw.
[1] Section 6(1) of the Privacy Act 1988 (Cth) (Privacy Act).
[2] AAP 11.1.
[3] APP 8.1.
[4] Section 16C of the Privacy Act.
[5] Section 13G of the Privacy Act.
Counting the cost of outsourcing (part 2)
Counting the cost of outsourcing (part 3)
Privacy: a new broom sweeps across borders
Privacy cleared for take off
Posted on: 2 December 2016