Is Your Business Safe from Privacy & Data Breach?

As the cost of running a financial services business in Australia increase and Australian Securities and Investments Commission (ASIC) place heavier compliance obligations on businesses, there are very few options to save money while improving customer service.

The most obvious strategy businesses are taking advantage of is using an offshore virtual assistant service provider like VA Platinum.

Are you using offshore virtual assistants for financial planning or mortgage broking?

If yes, and you haven’t a clue about how the Australian law works for data privacy, or do not know how it should be implemented in your operations, below, I’ve given a step by step of what you need to know and how you can stay the right side of the law.

Seriously, this could save you from some serious penalties and possible jail time.

And I don’t mean to scare. Laws are meant to be intimidating, and so we have to be mindful and respectful of them to avoid the backlash of the looming “or else”.

Firstly, let’s do a bit of background research….

What is APP 8 and why does it matter?

The Australian Privacy Principle or APPs, is a 13-point framework of the Australian Privacy Act of 1988. The Privacy Act was created to protect and regulate how personal information is handled. In its essence, it safeguards the rights of individuals and strengthens community trust in businesses and agencies.

Personal information is defined as…

Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.”

Personal information is, but not limited to the individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

All APPs are created to guide us with the proper way of handling personal information, for a number of specific scenarios. APP 8 specifically outlines cross-border disclosure of personal information.

APP 8 particularly details your legal obligations if you are utilising overseas or offshore operation that involves passing around personal information.

Some examples are:

    • – If you use Dropbox, Google Drive, OneDrive or other similar file storage facility that your offshore staff access.
  • – Where you provide access to your customer database such as with Adviser Logic, Xplan, Midwinter etc.
  • – Where you send a fact find or scope of advice document offshore to prepare advice documents such as a Statement of Advice.

Key Points

You can find the full inclusions of the APP 8 through the Office of Australian Information Commissioner.

For the purpose of simplifying the points under this principle, I’ve outlined them below:

1. Implement data and privacy security measures.

If your business discloses personal information to an overseas recipient, you must take reasonable steps to ensure that the recipient does not breach the APPs in connection with the personal information.

This means that you have to implement an anti-recording policy in the office or use software that effectively keeps people away from accessing personal information outside work.

2. Acknowledge accountability for data breach.

An Australian entity may still be held accountable for the practices or acts of an overseas recipient which result in a breach even if they have taken reasonable steps.

However, the Office of the Australian Information Commissioner (OAIC) will take into account the reasonable steps followed when resolving the matter.

3. Provide proper disclosure to clients.

Proper disclosure must be issued to the individual for them to effectively grant consent.

Following point number 3, I have asked my clients to include disclosure to clients with regards to using offshore staff through us. I created the following text to put inside their respective Fact Find and Privacy Policy (or in their FSG and SoA):

“Some of the information (including health information) collected by us may be disclosed to employees or contractors of [YOUR COMPANY NAME] outside of Australia. You consent to your information being disclosed to a destination outside Australia for this purpose, including but not limited to Cebu, Philippines, and you understand and acknowledge that Australian Privacy Principle 8.1 will not apply to such disclosures of your personal information. “

For those wanting a smaller disclosure, I encouraged them to use what one of our VA Platinum clients has included in their privacy policy that every client must sign.

“Note: we do utilise some overseas administration.”

Either way, I recommend that when using offshore staff, you must include a suitable disclosure that is easily identifiable in a document that the client signs-off on.

4. Make sure that personal data is used strictly for its primary purpose.

The Privacy Principle sets out that the business must only disclose personal information for the primary purpose it was collected unless an exception to this principle applies. An Australian entity is only allowed to use or disclose personal information for a secondary purpose (defined as the non-primary purpose) in the following situations:

  • – where the individual grants consent;
  • – where the law requires disclosure; or
  • – where it is “reasonably expected” that the Australian entity would disclose the information for the secondary purpose.

In these circumstances, the Australian entity must justify its actions and satisfy the Office of the Australian Information Commissioner (OAIC) that its disclosure was reasonably expected.

In summary, it’s incredibly easy to comply with Australia’s privacy laws when using offshore staff our oversees outsourcing businesses.

You simply need to disclose to customers that their data may be sent offshore and only used for the purpose intended and have the client sign-off that they grant you permission.

Easy peasy!

Book a Zoom meeting with Brian!


>

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: