2 December 2016 | Reading time: 2 minutes
This is the first of a 3-part series on risks associated with offshoring personal information. In this series, we will discuss:
Offshoring personal information
It is increasingly common for organisations to outsource office functions offshore to reduce overhead costs.
In doing so, organisations face business and regulatory risks, including:
Protecting commercially sensitive and personal information can be particularly difficult for organisations where offshore service providers:
Giving privacy laws some teeth
The Australian Privacy Principles (APPs) regulate the handling of personal information by Australian government agencies and private Australian organisations with an annual turnover of more than $3 million.
What is personal information?
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information or opinion:
This definition captures a large amount of information, including an individual’s:
Security of personal information
Private organisations are required to take reasonable steps to protect personal information from:
Before disclosing personal information to an overseas recipient, the private organisation must (unless exceptions apply):
An organisation does not have to comply with APPs where an individual consents to the disclosure of personal information to an overseas recipient.
Importantly, where a private organisation discloses personal information to an overseas recipient, it is accountable for the overseas recipient’s acts that would breach the APPs.
Cause for concern
When offshoring office functions, organisations must take reasonable steps to protect personal information from unauthorised access or disclosure. Indeed, it may face fines if it does not comply with the Privacy Act when outsourcing back office functions overseas. How serious can that exposure be, you may ask? Well, it could be liable for penalties of up to $340,000 for individuals, or up to $1.7 million for corporations, per breach. In addition, the Office of the Australian Information Commissioner has the power to take court-enforceable undertakings in relation to privacy interference. That is clearly not a toothless privacy regime.
In Part 2 of this blog, we discuss the offshoring of employee payroll and the regulatory requirements of transferring employee personal information offshore, as well as some handy tips for safeguarding personal information. Stay tuned for this next instalment on wespokelaw.