06 May 2015

Privacy Awareness Week Day 3 – The consequences of sending personal information overseas

Does your business send personal information about individuals overseas? Are you aware of your obligations when doing so?

Does your business send personal information about individuals overseas? Are you aware of your obligations when doing so?

The relevant framework for the cross-border disclosure of personal information is found in the Australian Privacy Principles (APPs). The APPs require that you take reasonable steps to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs. In many circumstances, the APPs will deem your business liable if the recipient mishandles the information.

Who is an overseas recipient?

An overseas recipient is an entity that:

  • receives personal information from your business;
  • is not in Australia;
  • is not the same entity as your business; and
  • is not the individual to whom the personal information relates.

This means that information sent to one of your own overseas offices will not be a disclosure to an overseas recipient, but information sent to an overseas related body corporate will be.

What is ‘disclosure’ of personal information?

You will ‘disclose’ personal information if you make it accessible to others outside your entity and release the subsequent handling of that information from your effective control.

This may be in the form of a proactive release, a release in response to a specific request, an accidental release or an unauthorised release by an employee. For example, you might reveal personal information at an international conference, send a hard copy document or email containing an individual’s personal information to an overseas recipient or publish personal information on the internet where it is accessible to an overseas recipient.

In situations where your business engages an overseas contractor to perform services on your behalf (such as word processing, logistics or IT support), the provision of any personal information to that contractor will, in most circumstances, be a disclosure.

What is ‘use’ of personal information?

Generally, you ‘use’ personal information when you handle and manage it within your effective control. For example, you use personal information when accessing and reading it, searching records for it, making a decision based on it or passing it from one part of the entity to another.

If you were to provide personal information to an overseas recipient via a server in a different overseas location, there would not usually be disclosure until the information reaches the overseas recipient. This means that routing personal information, in transit, through servers located outside Australia, would usually be considered a ‘use’.

In limited circumstances, giving personal information to a service provider or contractor may be a ‘use’ of that information rather than a disclosure. For the release to be a ‘use’, the service provider will usually have to have a binding contract with your business that restricts the service provider from handling the personal information in any way other than the limited circumstances for which the personal information was released.

Why does the difference matter?

For a number of APPs, it is not necessary to distinguish between a ‘use’ or ‘disclosure’ as the same obligations apply both. Other APPs, in particular APP 8 (which governs the cross-border disclosure of personal information) only applies to ‘disclosure’ and not to its ‘use’, therefore it’s important to know how to distinguish the two for this purpose.

What are the consequences of disclosing personal information overseas?

If you disclose personal information to an overseas recipient, you will be held accountable, in certain circumstances, for a subsequent act or practice by the recipient in relation to the information. If the overseas recipient engages in conduct that would breach the APPs (if they applied to the recipient), the business that disclosed the personal information to the overseas recipient is deemed to have engaged in that conduct and to have breached the APPs.

This may be the case even where:

  • your business has taken reasonable steps to ensure the overseas recipient complies with the APPs and it subsequently engages in conduct that would breach the APPs;
  • the overseas recipient discloses the personal information to a subcontractor and the subcontractor breaches the APPs; and
  • the overseas recipient inadvertently braches the APPs in relation to the information.

These consequences are alarming and, in most cases, outside your control once the information has been disclosed to the overseas recipient. Therefore, it’s essential to ensure that precautions are taken and personal information is only disclosed to overseas entities in situations where you are confident with its subsequent handling.

Privacy awareness week

This article was part of our series on handling personal information as part of Privacy Awareness Week. As a partner of the Office of the Australian Information Commissioner’s privacy awareness campaign, this week Cooper Grace Ward will publish a series of articles relating to:

If you would like further information about overseas disclosure of personal information, or privacy issues generally, please contact one of our team.

Like this article? Share it via:

This publication is for information only and is not legal advice. You should obtain advice that is specific to your circumstances and not rely on this publication as legal advice. If there are any issues you would like us to advise you on arising from this publication, please let us know.

Stay up to date with CGW

Subscribe to our interest lists to receive legal alerts, articles, event invitations and offers.

Key contacts

Charles-Sweeney-web
Charles Sweeney
Managing Partner

Areas of expertise

Read next