As the cost of running a financial services business in Australia increase and ASIC places heavier compliance obligations on businesses, there are very few options to save money while improving customer service.
The most obvious strategy businesses are taking advantage of is using offshore businesses like VA Platinum.
So, are you using overseas administration services as part of your business?
If yes, and you haven’t a clue about how the Australian law works for data privacy, or do not know how it should be implemented in your operations, below, I’ve given a step by step of what you need to know and how you can stay on the right side of the law.
Seriously, this could save you from some serious penalties and possible jail time.
And I don’t mean to scare. Laws are meant to be intimidating, and so we have to be mindful and respectful of them to avoid the backlash of the looming “or else”.
Firstly, let’s do a bit of background research….
What is APP 8 and why does it matter?
The Australian Privacy Principle, or APPs, is a 13-point framework of the Australian Privacy Act of 1988. The Privacy Act was created to protect and regulate how personal information is handled. In its essence, it safeguards the rights of individuals and strengthens community trust in businesses and agencies.
Personal information is defined as…
“Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.”
Personal information is, but not limited to: an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, and commentary or opinion about a person.
All APPs are created to guide us with the proper way of handling personal information, for a number of specific scenarios. APP 8 specifically outlines the cross-border disclosure of personal information.
APP 8 particularly details your legal obligations if you are utilising overseas or offshore operation that involves passing around personal information.
Some examples are:
- If you use Dropbox, Google Drive, OneDrive, or other similar file storage facility that your offshore staff access.
- Where you provide access to your customer database such as Adviser Logic, Xplan, Midwinter, etc.
- Where you send a fact find or scope of advice document offshore to prepare advice documents such as a Statement of Advice.
You can find the full inclusions of APP 8 through the Office of the Australian Information Commissioner.
For the purpose of simplifying the points under this principle, I’ve outlined them below:
1. Implement Data and Privacy Security Measures in your office
If your business discloses personal information to an overseas recipient, you must take reasonable steps to ensure that the recipient does not breach the APPs in connection with the personal information.
This means that you have to implement an anti-recording policy in the office or use software that effectively keeps people away from accessing personal information outside of work.
2. Acknowledge accountability for Data Breach
An Australian entity may still be held accountable for the practices or acts of an overseas recipient which result in a breach even if they have taken reasonable steps.
However, the Office of the Australian Information Commissioner (OAIC) will take into account the reasonable steps followed when resolving the matter.
3. Provide proper disclosure to clients
Proper disclosure must be issued to the individual for them to effectively grant consent.
“Some of the information (including health information) collected by us may be disclosed to employees or contractors of [YOUR COMPANY NAME] outside of Australia. You consent to your information being disclosed to a destination outside Australia for this purpose, including but not limited to Cebu, Philippines, and you understand and acknowledge that Australian Privacy Principle 8.1 will not apply to such disclosures of your personal information.”
“Note: we do utilise some overseas administration.”
Either way, I recommend that when using offshore staff, you must include a suitable disclosure that is easily identifiable in a document that the client signs off on.
4. Make sure that personal data is used strictly for its primary purpose
The Privacy Principle sets out that the business must only disclose personal information for the primary purpose it was collected unless an exception to this principle applies. An Australian entity is only allowed to use or disclose personal information for a secondary purpose (defined as the non-primary purpose) in the following situations:
- where the individual grants consent;
- where the law requires disclosure; or
- where it is “reasonably expected” that the Australian entity would disclose the information for secondary purposes.
In these circumstances, the Australian entity must justify its actions and satisfy the Office of the Australian Information Commissioner (OAIC) that its disclosure was reasonably expected.
In summary, it’s incredibly easy to comply with Australia’s privacy laws when using offshore staff in our overseas outsourcing businesses.
You simply need to disclose to customers that their data may be sent offshore and only used for the purpose intended and have the client sign-off that they grant you permission.