Counting the cost of outsourcing (part 2)

Welcome to the second instalment of a 3-part series on the risks associated with offshoring personal information. It is increasingly common for organisations to outsource office functions offshore to reduce overhead costs, and the outsourcing of employee payroll has become particularly prevalent with improvements in technology.

A 3-part series on this topic

In part 1, we discussed an organisation’s obligations to protect personal information when offshoring office functions.

Here in part 2, we discuss the offshore outsourcing of employee payroll, as well as some handy tips for safeguarding personal information.

In part 3, we will discuss the redundancy issues associated with outsourcing arrangements.

Carve-out for employee records

The handling of an employee’s personal information by a private organisation is exempt from the Privacy Act 1988 (Cth) (Privacy Act) if it is directly related to:

an employee’s current or former employment relationship; and
an employee record relating to an individual.^[1]

What are employee records?

An employee record may include:

the employee’s name, address, email, phone number or photo;
the engagement, training, disciplining, resignation or termination of employment of an employee;
the terms and conditions of employment;
the employee’s performance or conduct, hours of employment, salary, personal and emergency contact details;
the employee’s professional or trade association or membership;
the employee’s leave entitlements; and
the employee’s taxation, banking or superannuation information.

No cause for concern

An employer is not required to seek employee consent or notify its employees that their personal information may be sent overseas for the purpose of processing payroll. The cross-border disclosure obligations provisions (see part 1) do not apply in these circumstances and the employer will not be liable for any breach of an employee’s privacy by the overseas payroll outsourcing provider.

But there is a catch!

However, the disclosure of personal information by an employer for purposes outside the scope of employment are not exempt from the application of the Privacy Act.^[2] Accordingly, an employer must seek the employee’s consent prior to disclosing their personal information for purposes unrelated to employment. For example, an employer must not:

sell an employee’s personal information to marketing companies; or
provide an employee’s personal information to a debt collector^[3] or insurance company.

Despite this exemption, it remains important for employers to ensure the purpose of disclosing employee personal information to third party providers is directly related to the employee relationship (eg to process employee payroll) and not for any other purpose. Otherwise, they may face fines for failing to comply with the Privacy Act (see part 1).

Handy tips for employers

Employers who outsource office functions offshore should consider the following tips to protect personal information:

Audit: a privacy audit should be performed to account for the implications of outsourcing personal information to an offshore service provider. Careful consideration should be given to the privacy regime in force in the offshore provider’s jurisdiction.
Privacy Act: the offshore service provider’s compliance with the employer’s privacy policy and the Privacy Act should be spelt out in the governing contract.
Service levels: the contract with the offshore provider should contain quality controls, service levels and procedures to safeguard personal information (including the retention and disposal of personal information).
Ownership: the contract with the offshore provider should specify who owns the personal information.
Inspection rights: the contract with the offshore provider should contain inspection and audit rights.
Governing law: the contract with the offshore provider should be governed by Australian law.
Site visit: the offshore service provider’s facilities should be inspected before engaging them.
Insurance: risk should be reallocated by taking out an insurance policy that covers the employer in the event of a breach of the Privacy Act.

Next up on this topic

In part 3 of this blog, we discuss employee redundancies when outsourcing office functions and costly mistakes when failing to properly manage the redundancy process. Stay tuned for this next instalment on wespokelaw.

^[1] Section 7B(3) of the Privacy Act.
^[2] Subject to Australian Privacy Principle (APP) 6.1.
^[3] B v Cleaning Company [2009] PrivCmrA 2.

^{Counting the cost of outsourcing (part 1)}
^{Counting the cost of outsourcing (part 3)}
^{Privacy: a new broom sweeps across borders}
^{Privacy cleared for take off}