A recent media article reported that the Department of Defence had terminated the contract of a supplier after it found out the provider was processing and hosting employees’ personal information on servers hosted overseas. This contravened the conditions of the contract between the two parties.
Although this incident occurred with a Commonwealth agency, it highlights a sensitivity about personal information being transferred overseas that is common to Australian privacy jurisdictions. Queensland’s Information Privacy Act 2009 has specific rules aimed at continuing to protect the privacy of personal information when it is transferred overseas.
Section 33 of the IP Act sets out that an agency may transfer personal information outside of Australia only if:
A common misconception is that the provision of a ‘collection notice’ on its own will always equate to consent. While a collection notice can inform an individual of the potential for overseas transfer, receipt of a collection notice by the individual is a passive process whereas agreement is requires action by the individual. Agreement can be recorded such as the individual ticking an opt-in box or signing that they understand that their personal information will be transferred overseas and that they agree to this. Agreement can also be taken where there is the capacity for the informed individual to exercise a choice of whether or not to participate and provide their personal information.
Chapter 2, part 4 of the IP Act requires a contracting agency to take all reasonable steps to ensure that a contracted service provider is contractually bound to comply with the IPPs (and NPPs, if the contracting agency is a health agency) and with section 33 concerning the transfer of personal information outside Australia.
A bound contracted service provider can only transfer personal information outside Australia—for example, by sub-contracting to a cloud-based service that uses servers physically located in a country other than Australia—where they satisfy one of the requirements set out in section 33.
Where the contracting agency interacts directly with the overseas-based sub-contractor, it could be that it is the agency, rather than the bound contracted service provider, that will be responsible for complying with the section 33 requirements.
The arrangement between the contracting agency and contracted service provider could limit or specifically outline the circumstances in which personal information can be transferred outside of Australia, in accordance with the provisions set out in section 33. The IP Act does not include the capacity for a bound contracted service provider to themselves bind a subcontractor to compliance with the privacy principles. A contracting agency could deal with this issue by ensuring that the service arrangement either imposes a prohibition on the use of overseas-based subcontractors, or places conditions on the use of overseas-based subcontractors by the contracted service provider in order to ensure that personal information is subject to the same level of protection that is afforded by the IP Act.
Consideration could be given to making failure to comply with these obligations a ground for terminating the contract as occurred with the Department of Defence.