Welcome back to TRANSPARENT – a quarterly newsletter providing information to help you meet your privacy obligations under the Student Identifiers Act 2014 and the Privacy Act 1988 (Privacy Act).
This newsletter is published by the Unique Student Identifier (USI) Office and written in collaboration with the Office of the Australian Information Commissioner (OAIC), the regulator of the Privacy Act. This edition will focus on cross-border disclosure of personal information and will be the last of the TRANSPARENT series.
IMPORTANT NOTE: The Privacy Act, including the Australian Privacy Principles (APPs), applies to APP entities only. To determine whether your training organisation is an APP entity, refer to Chapter B of the APP Guidelines.
Inside this edition:
- What does APP 8 say about disclosing personal information to an overseas recipient?
- What is an ‘overseas recipient’?
- What does it mean to disclose personal information to an overseas recipient?
- How is ‘disclosure’ different to the ‘use’ of personal information?
- Taking reasonable steps to ensure an overseas recipient does not breach the APPs
- What are the exceptions?
- Does the EU’s General Data Protection Regulation (GDPR) apply to my organisation?
- Recap of past TRANSPARENT editions
- OAIC resources.
Disclosing personal information to an overseas recipient
APP 8 regulates the disclosure of personal information outside of Australia. It aims to ensure that organisations are accountable for cross-border flows of information involving personal and sensitive information. For APP entities, this means that you could be responsible for breaches of Australian privacy laws where an act or practice of the overseas recipient breaches the APPs.
Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8.1). There are some exceptions to this requirement.
What is an ‘overseas recipient’?
An ‘overseas recipient’ is a person who receives personal information from an APP entity and is not:
- in Australia or an external Territory
- the APP entity disclosing the personal information
- the individual to which the personal information relates.
What does it mean to disclose personal information to an overseas recipient?
An APP entity discloses personal information when it makes it accessible to others outside the entity, releasing effective control over the information. ‘Disclosure’ focuses on the act of the disclosing party (the APP entity) rather than the overseas recipient, even in circumstances where the overseas recipient already knows the information.
Disclosure may occur in a number of situations, such as when an entity:
- proactively releases or publishes information
- releases information directly to the overseas recipient in response to a specific request
- accidently or intentionally releases the information in an unauthorised manner.
How is ‘disclosure’ different to the ‘use’ of personal information?
The focus of APP 8 is on the ‘disclosure’ of personal information to overseas recipients, as opposed to the ‘use’ of the information.
While the term is not defined in the Privacy Act, the primary difference between the ‘disclosure’ and ‘use’ of information is whether an APP entity has effective control over personal information or not.
‘Disclosure’ occurs when an entity makes personal information available or visible to others outside the organisation, releasing control over the information.
‘Use’ occurs when an entity undertakes an activity with or handles personal information that is within its effective control.
Where an APP entity engages a contractor located overseas to perform services on its behalf, this will be a disclosure in most circumstances.
Example: Personal information may be disclosed by an employee of a registered training organisation to an overseas recipient in a number of ways, such as if the employee:
- emails a student’s name, date of birth, address, and educational and training history to an overseas contractor
- reveals a list of students’ names and USIs at an international conference
- sends a hard copy document or email containing a student’s training records or transcript to an overseas education authority, or
- publishes a student’s personal information on the internet, making it accessible to an overseas recipient.
More information on the difference between ‘uses’ and ‘disclosures’ to overseas contractors is available in Chapter Eight of the APP Guidelines (8.7-8.15).
Taking reasonable steps to ensure an overseas recipient does not breach the APPs.
Under APP 8.1, you must take ‘reasonable steps’ to ensure that when you disclose personal information to an overseas recipient, they do not breach the APPs.
This is most commonly done through an enforceable contractual arrangement between the APP entity and the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs. These arrangements may include:
- the types of personal information to be disclosed and the purpose of disclosure
- a requirement that the overseas recipient complies with the APPs when collecting, using, disclosing, storing, and destroying or de-identifying personal information
- the complaint handling process for privacy complaints
- a requirement that the recipient implement a data breach response plan, which sets out a process for assessing, containing and rectifying a breach.
However, what constitutes ‘reasonable steps’ will differ depending on the circumstances of your organisation, including the:
- sensitivity of the personal information that your organisation holds
- possible adverse consequences for an individual if the information is mishandled
- overseas recipient’s existing technical and operational safeguards
- practicability of taking reasonable steps, including time and cost.
What are the exceptions?
You may disclose personal information to an overseas recipient in some circumstances that would otherwise be considered in breach of APP 8.1. These include:
- the overseas recipient is subject to a substantially similar law or binding scheme that, overall, affords comparable privacy protections provided by the APPs
- an individual has given informed consent to the disclosure
- Australian law or a court/tribunal order authorises or requires the disclosure
- a permitted general situation exists (such as locating a missing person or preventing a serious threat to life, health or safety)
- there is an international agreement relating to overseas information sharing
- it is for an enforcement related purpose or activity.
For more information on the exceptions to the requirement, refer to Chapter Eight of the APP Guidelines (8.19-8.55).
Does the European Union’s (EU’s) General Data Protection Regulation (GDPR) apply to my organisation?
The EU’s GDPR contains new data protection requirements that have applied from 25 May 2018. Australian businesses may need to comply with the GDPR if they:
- have an establishment in the EU
- offer goods and services to or monitor the behaviour of individuals in the EU.
The GDPR and the Privacy Act share many common requirements, but there are also some notable differences. For example, individuals have a ‘right to be forgotten’ under the GDPR, which is a right that does not exist under the Privacy Act.
To find out more about your obligations, refer to the OAIC’s privacy resource on Australian businesses and the GDPR.
Recap of past TRANSPARENT editions
- In the Transparent December 2017 edition, we covered what privacy is, what the APPs are, and whether your organisation is subject to the Privacy Act.
- In the Transparent April 2018 edition, we covered how the APPs apply to you, and your obligations under the APPs.
- In the Transparent July 2018 edition, we covered privacy training and how to foster accountability for privacy in your organisation.
- In the Transparent August 2018 edition, we covered good privacy practices, Privacy Impact Assessments and Privacy Management Plans.
- In the Transparent November 2018 edition, we covered ICT and physical security, and your obligations to take ‘reasonable steps’ to protect and secure personal information.
- In the Transparent March 2019 edition, we covered more information related to ICT and physical security, such as access controls, third party providers, and the destruction or de-identification of personal information.
- In the Transparent May 2019 edition, we covered data breach response plans.
The OAIC website has a number of resources that can assist organisations to consider their obligations when disclosing personal information overseas. Chapter Eight of the APP Guidelines discusses these obligations and their exceptions in more detail.
The OAIC’s Privacy Resource 21 discusses Australian businesses and the EU’s GDPR.