16.08.2010
Contractual arrangements
31.223 NPP 9 and the recommended ‘Cross-border Data Flows’ principle anticipate that organisations will use contracts to protect personal information when it is transferred outside Australia.
31.224 The OPC Review noted that:
From submissions and the comments received during stakeholder workshops, it appears that organisations are fulfilling their NPP 9 obligations of ensuring that personal information is protected when it is transferred to regions without privacy regimes through contractual arrangements with their trading partners. While some submissions find this to be an effective solution, others are concerned about the costs associated with monitoring the compliance of their trading partners.[339]
31.225 The OPC Review noted that the OPC could provide greater guidance by publishing approved standard contractual provisions for use by Australian companies and international trading partners. It indicated that the EU had issued contract provisions. It acknowledged, however, that developing standard contractual provisions would have resource implications for the Office.[340] Rather than publishing standard contractual provisions, the OPC recommended that it provide further guidance to assist organisations in complying with NPP 9.[341]
31.226 In DP 72, the ALRC proposed that the OPC issue guidance on the issues that should be addressed as part of a contractual agreement with the overseas recipient of personal information.[342] PIAC submitted that it would be helpful if the OPC guidance provided model contractual provisions as the OVPC has done.[343]
Other OPC guidance
31.227 In other sections of this chapter, the ALRC proposes that guidance on the proposed ‘Cross-border Data Flows’ principle also should address:
when personal information may become available to a foreign government;
contracting out government services to organisations outside Australia;
what constitutes a ‘reasonable belief’;
consent to cross-border data flows, including information for individuals on the consequences of providing consent;
the establishment by agencies of administrative arrangements or MOUs or protocols with foreign governments, with respect to appropriate handling practices for personal information in overseas jurisdictions where privacy protections are not substantially similar to the model UPPs (for example, where the transfer is required or authorised by or under law); and
examples of the circumstances in which a transfer will, and will not, be taken to have occurred, for the purposes of the ‘Cross-border Data Flows’ principle.[344]
31.228 The majority of stakeholders supported the ALRC’s proposals in relation to OPC guidance.[345] Medicare Australia’s support for the model ‘Cross-border Data Flows’ principle was conditional on OPC guidance being made available, to ensure consistent interpretation and application of specific criteria.[346] On the other hand, GE Money expressed concern at the extent of guidance recommended by the ALRC.[347]
31.229 The OPC agreed that it should develop general guidance for agencies and organisations regarding the risks of personal information being made available to foreign governments. That guidance should include a warning that foreign laws might require the disclosure of the information to foreign government agencies and general advice about minimising privacy risks when transferring personal information overseas.[348] The OVPC submitted that guidance should be produced jointly, or in consultation with, state or territory privacy commissioners.[349]
ALRC’s view
31.230 The OPC should develop and publish guidance about the issues that should be addressed as part of a contractual agreement with the overseas recipient of personal information. This guidance will be particularly helpful for small businesses. The ALRC notes that the OVPC has published Model Terms for Cross-border Data Flows of Personal Information. The guide includes model clauses for the transfer of personal information outside Victoria, together with commentary about the clauses.[350] In the ALRC’s view, the OPC should provide model clauses as part of that guidance.
31.231 Further, OPC guidance in the areas discussed above would assist agencies and organisations to comply with the ‘Cross-border Data Flows’ principle.
Recommendation 31–7 The Office of the Privacy Commissioner should develop and publish guidance on the ‘Cross-border Data Flows’ principle, including guidance on:
(a) circumstances in which personal information may become available to a foreign government;
(b) outsourcing government services to organisations outside Australia;
(c) the issues that should be addressed as part of a contractual agreement with an overseas recipient of personal information;
(d) what constitutes a ‘reasonable belief’;
(e) consent to cross-border data flows, including information for individuals on the consequences of providing consent;
(f) the establishment by agencies of administrative arrangements, memorandums of understanding or protocols with foreign governments, with respect to appropriate handling practices for personal information in overseas jurisdictions where privacy protections are not substantially similar to the model Unified Privacy Principles (for example, where the transfer is required or authorised by or under law); and
(g) examples of circumstances which do, and do not, constitute a transfer for the purposes of the ‘Cross-border Data Flows’ principle.
[339] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 78.
[340] Ibid, 78.
[341] Ibid, Rec 18.
[342]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–9(c).
[343]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007. See also: Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007.
[344] In Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 28–9, the ALRC proposed that the OPC issue guidance in relation to some elements of NPP 9 that have been removed from the recommended ‘Cross-border Data Flows’ principle. Guidance, therefore, is not required in relation to those matters (specifically, items (d) and (e) of Proposal 28–9).
[345]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Queensland Government, Submission PR 490, 19 December 2007.
[346]Medicare Australia, Submission PR 534, 21 December 2007.
[347]GE Money Australia, Submission PR 537, 21 December 2007.
[348]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[349]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[350] Office of the Victorian Privacy Commissioner, Model Terms for Cross-border Data Flows of Personal Information (2006).