On 1 April 2015 the Office of the Australian Information Commissioner (OAIC) released revised guidelines on the Australian Privacy Principles (APPs).
What are the APP Guidelines?
The APP Guidelines, originally released in February 2014, contain detailed information about the operation of the APPs, which form a subset of the Privacy Act 1988 (Cth). They are the Information Commissioner's interpretation of the APPs, and are not legally binding.
What has changed?
The revised APP Guidelines contain additional guidance on:
- when overseas entities will be considered to be carrying on business in Australia; and
- the provision of personal information to an overseas contractor.
When overseas companies are considered to be carrying on business in Australia
The Privacy Act and the APPs will only apply to an entity that has an Australian link. One of the tests to determine whether an entity has an Australian link is whether or not it carries on business in Australia. The OAIC has now indicated that an entity will not necessarily be carrying on a business in Australia only because a purchase order can be placed in Australia (but fulfilled overseas), or the entity's website can be accessed from Australia. The OAIC considers there must be some physical activity in Australia through human instrumentalities. This might include:
- having a place of business in Australia, or conducting business through an individual or entity located in Australia;
- registering a trade mark in Australia;
- fulfilling purchase orders in Australia; or
- offering to supply goods or services to Australia on the entity's website.
Under what circumstances an APP entity may breach the APPs when it provides personal information to an overseas contractor
Where an APP entity (an organisation covered by the Privacy Act) engages an overseas contractor to perform services on its behalf, it may disclose personal information to the contractor, for example by outsourcing its billing systems. The APP entity will then need to comply with APP 8.1, meaning that it will need to enter into a written agreement with the overseas contractor, and it may be responsible for the overseas contractor's mishandling of personal information (unless an exception in APP 8.2 applies).
However, as previously stated in the February 2014 APP Guidelines, sometimes providing personal information to an overseas contractor is only a 'use' rather than a 'disclosure', such as where an APP entity uses offshore cloud storage services. In this case, APP 8 may not apply. In the April 2014 APP Guidelines the OAIC has warned that APP entities should be aware that, even though there may not be a disclosure of personal information to an overseas contractor, any mishandling of personal information which is in the overseas contractor's possession may be a breach by the APP entity because the APP entity is still considered to be the holder of the personal information, and therefore ultimately responsible for it.
How does it affect me?
The updates to the APP Guidelines target some of the uncertainties around offshore businesses with operations in Australia, and also Australian businesses who send personal information offshore.
The guidance in relation to carrying on business in Australia reflects current Australian law, and in limited cases may reduce regulatory compliance for some entities.
For APP entities that provide personal information to an offshore contractor where there is no disclosure, those entities may wish to ensure contractual obligations are also in place with their overseas contractor.