Welcome to the second instalment of a 3-part series on the risks associated with offshoring personal information. It is increasingly common for organisations to outsource office functions offshore to reduce overhead costs, and the outsourcing of employee payroll has become particularly prevalent with improvements in technology.
In part 1, we discussed an organisation’s obligations to protect personal information when offshoring office functions.
Here in part 2, we discuss the offshore outsourcing of employee payroll, as well as some handy tips for safeguarding personal information.
In part 3, we will discuss the redundancy issues associated with outsourcing arrangements.
The handling of an employee’s personal information by a private organisation is exempt from the Privacy Act 1988 (Cth) (Privacy Act) if it is directly related to:
An employee record may include:
An employer is not required to seek employee consent or notify its employees that their personal information may be sent overseas for the purpose of processing payroll. The cross-border disclosure obligations provisions (see part 1) do not apply in these circumstances and the employer will not be liable for any breach of an employee’s privacy by the overseas payroll outsourcing provider.
However, the disclosure of personal information by an employer for purposes outside the scope of employment are not exempt from the application of the Privacy Act.[2] Accordingly, an employer must seek the employee’s consent prior to disclosing their personal information for purposes unrelated to employment. For example, an employer must not:
Despite this exemption, it remains important for employers to ensure the purpose of disclosing employee personal information to third party providers is directly related to the employee relationship (eg to process employee payroll) and not for any other purpose. Otherwise, they may face fines for failing to comply with the Privacy Act (see part 1).
Employers who outsource office functions offshore should consider the following tips to protect personal information:
In part 3 of this blog, we discuss employee redundancies when outsourcing office functions and costly mistakes when failing to properly manage the redundancy process. Stay tuned for this next instalment on wespokelaw.
[1] Section 7B(3) of the Privacy Act.
[2] Subject to Australian Privacy Principle (APP) 6.1.
[3] B v Cleaning Company [2009] PrivCmrA 2.
Counting the cost of outsourcing (part 1)
Counting the cost of outsourcing (part 3)
Privacy: a new broom sweeps across borders
Privacy cleared for take off
Posted on: 9 January 2017