Are you planning to send personal information overseas?
A recent media article reported that the Department of Defence had terminated the contract of a supplier after it found out the provider was processing and hosting employees’ personal information on servers hosted overseas. This contravened the conditions of the contract between the two parties.
Although this incident occurred with a Commonwealth agency, it highlights a sensitivity about personal information being transferred overseas that is common to Australian privacy jurisdictions. Queensland’s Information Privacy Act 2009 has specific rules aimed at continuing to protect the privacy of personal information when it is transferred overseas.
What are the rules for transferring personal information outside Australia?
Section 33 of the IP Act sets out that an agency may transfer personal information outside of Australia only if:
- the individual has agreed to the transfer; or
- the transfer is authorised or required under a law; or
- the agency is satisfied on reasonable grounds that the transfer is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of any individual, or
- to public health, safety and welfare; or
- two or more of the following apply:
- the agency reasonably believes that the recipient of the personal information is subject to a law, binding scheme or contract that effectively upholds principles for the fair handling of personal information that are substantially similar to the IPPs or, if the agency is a health agency, the NPPs;
- the transfer is necessary for the performance of the agency's functions in relation to the individual;
- the transfer is for the benefit of the individual but it is not practicable to seek the agreement of the individual, and if it were practicable to seek the agreement of the individual, the individual would be likely to give the agreement;
- the agency has taken reasonable steps to ensure that the personal information it transfers will not be held, used or disclosed by the recipient of the information in a way that is inconsistent with the IPPs or, if the agency is a health agency, the NPPs.
A common misconception is that the provision of a ‘collection notice’ on its own will always equate to consent. While a collection notice can inform an individual of the potential for overseas transfer, receipt of a collection notice by the individual is a passive process whereas agreement is requires action by the individual. Agreement can be recorded such as the individual ticking an opt-in box or signing that they understand that their personal information will be transferred overseas and that they agree to this. Agreement can also be taken where there is the capacity for the informed individual to exercise a choice of whether or not to participate and provide their personal information.
Considerations when contracting with a non-government agency
Chapter 2, part 4 of the IP Act requires a contracting agency to take all reasonable steps to ensure that a contracted service provider is contractually bound to comply with the IPPs (and NPPs, if the contracting agency is a health agency) and with section 33 concerning the transfer of personal information outside Australia.
A bound contracted service provider can only transfer personal information outside Australia—for example, by sub-contracting to a cloud-based service that uses servers physically located in a country other than Australia—where they satisfy one of the requirements set out in section 33.
Where the contracting agency interacts directly with the overseas-based sub-contractor, it could be that it is the agency, rather than the bound contracted service provider, that will be responsible for complying with the section 33 requirements.
How can an agency manage the risks of noncompliance with section 33 of the IP Act?
The arrangement between the contracting agency and contracted service provider could limit or specifically outline the circumstances in which personal information can be transferred outside of Australia, in accordance with the provisions set out in section 33. The IP Act does not include the capacity for a bound contracted service provider to themselves bind a subcontractor to compliance with the privacy principles. A contracting agency could deal with this issue by ensuring that the service arrangement either imposes a prohibition on the use of overseas-based subcontractors, or places conditions on the use of overseas-based subcontractors by the contracted service provider in order to ensure that personal information is subject to the same level of protection that is afforded by the IP Act.
Consideration could be given to making failure to comply with these obligations a ground for terminating the contract as occurred with the Department of Defence.