Is Your Business Safe from Privacy & Data Breach? -

As the cost of running a financial services business in Australia increase and ASIC place heavier compliance obligations on businesses, there are very few options to save money while improving customer service.
The most obvious strategy businesses are taking advantage of is using offshore businesses like VA Platinum.

So, are you using overseas administration services as part of your business?

If so, and you haven’t got a clue about how the Australian law works for data privacy or you don’t know how it should be implemented in your operations, I’ve given a step by step process of what you need to know and how you can stay the right side of the law below.

Seriously, this could save you from some serious penalties and possible jail time.

And I don’t mean to scare you. Laws are meant to be intimidating, so we have to be mindful and respectful of them to avoid the backlash of the looming “or else.”

Firstly, let’s do a bit of background research….

What is APP 8 and why does it matter?

The Australian Privacy Principle or APPs is a 13-point framework of the Australian Privacy Act of 1988. The Privacy Act was created to protect and regulate how personal information is handled. In its essence, it safeguards the rights of individuals and strengthens community trust in businesses and agencies.

Personal information is defined as…

“Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.”

Personal information is, but not limited to: an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details, and commentary or opinion about a person.

All APPs are created to guide us with the proper way of handling personal information, for a number of specific scenarios. APP 8 specifically outlines cross-border disclosure of personal information.

APP 8 particularly details your legal obligations if you are utilising overseas or offshore operation that involves passing around personal information.

Some examples are:

KEYPOINTS

You can find the full inclusions of APP 8 through the Office of the Australian Information Commissioner.

For the purpose of simplifying the points under this principle, I’ve outlined them below:

1. Implement Data and Privacy Security Measures in your office

If your business discloses personal information to an overseas recipient, you must take reasonable steps to ensure that the recipient does not breach the APPs in connection with the personal information.

This means that you have to implement an anti-recording policy in the office or use software that effectively keeps people away from accessing personal information outside of work.

2. Acknowledge accountability for Data Breach

An Australian entity may still be held accountable for the practices or acts of an overseas recipient which result in a breach even if they have taken reasonable steps.

However, the Office of the Australian Information Commissioner (OAIC) will take into account the reasonable steps followed when resolving the matter.

3. Provide proper disclosure to clients.

Proper disclosure must be issued to the individual for them to effectively grant consent.

Following point number 3, I have asked my clients to include a disclosure to clients with regards to using offshore staff through us. I created the following text to put inside their respective Fact Find and Privacy Policy (or in their FSG and SoA):

“Some of the information (including health information) collected by us may be disclosed to employees or contractors of [YOUR COMPANY NAME] outside of Australia. You consent to your information being disclosed to a destination outside Australia for this purpose, including but not limited to Cebu, Philippines, and you understand and acknowledge that Australian Privacy Principle 8.1 will not apply to such disclosures of your personal information. “

For those wanting a smaller disclosure, I encouraged them to use what one of our VA Platinum clients has included in their privacy policy that every client must sign.

“Note: we do utilise some overseas administration.”

Either way, I recommend that when using offshore staff, you must include a suitable disclosure that is easily identifiable in a document that the client signs off on.

4. Make sure that personal data is used strictly for its primary purpose.

The Privacy Principle sets out that the business must only disclose personal information for the primary purpose it was collected unless an exception to this principle applies. An Australian entity is only allowed to use or disclose personal information for a secondary purpose (defined as the non-primary purpose) in the following situations:

In these circumstances, the Australian entity must justify its actions and satisfy the Office of the Australian Information Commissioner (OAIC) that its disclosure was reasonably expected.

In summary, it’s incredibly easy to comply with Australia’s privacy laws when using offshore staff our overseas outsourcing businesses.

You simply need to disclose to customers that their data may be sent offshore and only used for the purpose intended and have the client sign-off that they grant you permission.

Easy peasy!