OPC Guidance
Contractual arrangements 31.223 NPP 9 and the recommended ‘Cross-border Data Flows’ principle anticipate that organisations will use contracts to protect personal information when it is transferred outside Australia.31.224 The OPC Review noted that:From submissions and the comments received during stakeholder workshops, it appears that organisations are fulfilling their NPP 9 obligations of ensuring that personal …
Publications
Read moreRequirement of notice that personal information is being sent overseas
31.232 As noted above, a large number of respondents to the ALRC’s National Privacy Phone-In expressed concerns about Australian companies sending their personal information overseas.[351]31.233 In IP 31, the ALRC asked whether organisations should be required to inform individuals that their personal information is to be transferred outside Australia, and if so, what form such …
Publications
Read moreIntroduction
31.1 Cross-border data flow refers to the movement of personal information (or data) across national borders.[1] While the focus of the Privacy Act 1988 (Cth) was originally on personal information collected and handled within Australia, the increasing ease with which information can be transferred between countries has forced jurisdictions to recognise that efforts to protect …
Publications
Read moreTrustmarks
31.59 One feature of the APEC Privacy Framework that may have application in the Australian context is a trustmark scheme.[91] A number of countries already have adopted trustmark schemes, including privacy trustmark schemes. Some of these schemes are beginning to recognise each others’ trustmarks and develop global trustmark principles.[92] Trustmark schemes vary in nature and …
Publications
Read moreCurrent coverage of cross-border data flows
Extraterritorial operation of the Privacy Act31.71 Section 5B of the Privacy Act applies the Act (and approved privacy codes) to acts done, or practices engaged in, outside Australia by an organisation, if the act or practice relates to personal information about an Australian citizen or permanent resident and either the organisation:is linked to Australia by …
Publications
Read moreContent of the model ‘Cross-border Data Flows’ principle
Accountability31.93 Professor Greenleaf, Nigel Waters and Associate Professor Lee Bygrave submitted that the six conditions under NPP 9 will generally be sufficient to allow any legitimate transfer overseas of personal information, even when those transfers may harm the interests of the data subjects concerned. They argued that data exporters should remain liable for breaches of …
Publications
Read moreRegulation of Tax File Numbers
Background to the enhanced TFN scheme30.130 In May 1988, following the demise of the Australia Card scheme, the then Treasurer, the Hon Paul Keating MP, announced that the Australian Government intended to introduce an enhanced TFN scheme.[194] In 1988, legislation establishing such a scheme was passed.[195] 30.131 Before 1988, TFNs were simply numbers used by …
Publications
Read moreIs there a need for an ‘Identifiers’ principle?
30.12 A threshold issue is whether it is necessary to retain a separate principle to regulate the use of identifiers. There is an argument that the collection, use and disclosure of identifiers could be accommodated within the privacy principles that deal with those aspects of the information cycle. For example, the proscription in NPP 7 …
Publications
Read moreDefinition of ‘identifier’
30.39 The definition of an ‘identifier’ in NPP 7 does not describe what an identifier is, only that it includes a number assigned by an organisation to an individual. The OPC Guidelines to the National Privacy Principles, however, set out a definition of ‘identifier’:A Commonwealth government identifier is a unique combination of letters and numbers, …
Publications
Read moreContent of privacy principle dealing with identifiers
Use and disclosure for the purpose of identity verification30.65 An issue that arose in response to DP 72 was whether the proposed ‘Identifiers’ principle would prevent an agency or organisation from using or disclosing an identifier for the purpose of identity verification.[89] The AGD submitted that:Identifiers are critical for the operation of identity management and …
Publications
Read more