In this episode of TaxLand, Fletch and Sarah talk about the tax consequences of Fletch's dream to live and work in Italy and the effect that the move could have ...
Does your business send personal information about individuals overseas? Are you aware of your obligations when doing so?
The relevant framework for the cross-border disclosure of personal information is found in the Australian Privacy Principles (APPs). The APPs require that you take reasonable steps to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs. In many circumstances, the APPs will deem your business liable if the recipient mishandles the information.
Who is an overseas recipient?
An overseas recipient is an entity that:
This means that information sent to one of your own overseas offices will not be a disclosure to an overseas recipient, but information sent to an overseas related body corporate will be.
What is ‘disclosure’ of personal information?
You will ‘disclose’ personal information if you make it accessible to others outside your entity and release the subsequent handling of that information from your effective control.
This may be in the form of a proactive release, a release in response to a specific request, an accidental release or an unauthorised release by an employee. For example, you might reveal personal information at an international conference, send a hard copy document or email containing an individual’s personal information to an overseas recipient or publish personal information on the internet where it is accessible to an overseas recipient.
In situations where your business engages an overseas contractor to perform services on your behalf (such as word processing, logistics or IT support), the provision of any personal information to that contractor will, in most circumstances, be a disclosure.
What is ‘use’ of personal information?
Generally, you ‘use’ personal information when you handle and manage it within your effective control. For example, you use personal information when accessing and reading it, searching records for it, making a decision based on it or passing it from one part of the entity to another.
If you were to provide personal information to an overseas recipient via a server in a different overseas location, there would not usually be disclosure until the information reaches the overseas recipient. This means that routing personal information, in transit, through servers located outside Australia, would usually be considered a ‘use’.
In limited circumstances, giving personal information to a service provider or contractor may be a ‘use’ of that information rather than a disclosure. For the release to be a ‘use’, the service provider will usually have to have a binding contract with your business that restricts the service provider from handling the personal information in any way other than the limited circumstances for which the personal information was released.
Why does the difference matter?
For a number of APPs, it is not necessary to distinguish between a ‘use’ or ‘disclosure’ as the same obligations apply both. Other APPs, in particular APP 8 (which governs the cross-border disclosure of personal information) only applies to ‘disclosure’ and not to its ‘use’, therefore it’s important to know how to distinguish the two for this purpose.
What are the consequences of disclosing personal information overseas?
If you disclose personal information to an overseas recipient, you will be held accountable, in certain circumstances, for a subsequent act or practice by the recipient in relation to the information. If the overseas recipient engages in conduct that would breach the APPs (if they applied to the recipient), the business that disclosed the personal information to the overseas recipient is deemed to have engaged in that conduct and to have breached the APPs.
This may be the case even where:
These consequences are alarming and, in most cases, outside your control once the information has been disclosed to the overseas recipient. Therefore, it’s essential to ensure that precautions are taken and personal information is only disclosed to overseas entities in situations where you are confident with its subsequent handling.
Privacy awareness week
This article was part of our series on handling personal information as part of Privacy Awareness Week. As a partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, this week Cooper Grace Ward will publish a series of articles relating to:
If you would like further information about overseas disclosure of personal information, or privacy issues generally, please contact one of our team.
This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please let us know.
Subscribe to our interest lists to receive legal alerts, articles, event invitations and offers.
Cooper Grace Ward acknowledges and pays respect to the past, present and future Traditional Custodians and Elders of this nation and the continuation of cultural, spiritual and educational practices of Aboriginal and Torres Strait Islander peoples.
Fast, accurate and flexible entities including companies, self-managed superannuation funds and trusts.