Counting the cost of outsourcing (part 1).

This is the first of a 3-part series on risks associated with offshoring personal information. In this series, we will discuss:

• an organisation’s obligations to protect personal information when offshoring office functions (Part 1);
• tips to safeguard personal information when offshoring employee payroll (Part 2); and
• redundancy issues associated with outsourcing arrangements (Part 3).

Offshoring personal information

It is increasingly common for organisations to outsource office functions offshore to reduce overhead costs.

In doing so, organisations face business and regulatory risks, including:

• lack of protection of commercially sensitive and personal information;
• loss of internal business knowledge;
• regulatory compliance issues;
• lack of transparency; and
• loss of quality control.

Protecting commercially sensitive and personal information can be particularly difficult for organisations where offshore service providers:

• have weak physical and IT security infrastructure and back-up or disaster recovery procedures;
• utilise layers of contractors and sub-contractors;
• have little emphasis on HR functions, including inadequate pre-employment screening practices; and
• operate in jurisdictions with toothless privacy laws and limited privacy remedies.

Giving privacy laws some teeth

The Australian Privacy Principles (APPs) regulate the handling of personal information by Australian government agencies and private Australian organisations with an annual turnover of more than $3 million.

What is personal information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion:

• is true; and
• is recorded in a material form^[1].

This definition captures a large amount of information, including an individual’s:

• name, address, email or phone number;
• photograph, video or audio recording;
• salary or banking information, education and qualifications; or
• health information, religious preferences or sexual orientation.

Security of personal information

Private organisations are required to take reasonable steps to protect personal information from:

1. misuse, interference and loss; and
2. unauthorised access, modification or disclosure^[2].

Cross-border disclosure

Before disclosing personal information to an overseas recipient, the private organisation must (unless exceptions apply)^[3]:

1. take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information; and
2. only disclose the personal information for the primary purpose for which it was collected.

An organisation does not have to comply with APPs where an individual consents to the disclosure of personal information to an overseas recipient.

Importantly, where a private organisation discloses personal information to an overseas recipient, it is accountable for the overseas recipient’s acts that would breach the APPs^[4].

Cause for concern

When offshoring office functions, organisations must take reasonable steps to protect personal information from unauthorised access or disclosure. Indeed, it may face fines if it does not comply with the Privacy Act when outsourcing back office functions overseas. How serious can that exposure be, you may ask? Well, it could be liable for penalties of up to $340,000 for individuals, or up to $1.7 million for corporations, per breach^[5]. In addition, the Office of the Australian Information Commissioner has the power to take court-enforceable undertakings in relation to privacy interference. That is clearly not a toothless privacy regime.

In Part 2 of this blog, we discuss the offshoring of employee payroll and the regulatory requirements of transferring employee personal information offshore, as well as some handy tips for safeguarding personal information. Stay tuned for this next instalment on wespokelaw.

^[1] Section 6(1) of the Privacy Act 1988 (Cth) (Privacy Act).
^[2] AAP 11.1.
^[3] APP 8.1.
^[4] Section 16C of the Privacy Act.
^[5] Section 13G of the Privacy Act.