Private and financial information moved overseas by organisations.
Dear Office of the Australian Information Commissioner,
Would you please inform me why it is not in contravention of the Privacy Act 1988 for an organisation to transfer or copy private and financial customer information overseas to another country and/or organisational entity, without the express permission of the customer.
In particular a bank, that is an Australian registered company and expected by customers to operate and administer their accounts in Australia, moving their account processing operations off shore and to a separate organisational entity.
What guarantee of information security should an organisation be able to give in this circumstance?
Yours faithfully,
Christopher Bennett
Dear Mr Bennett
Thank you for your email.
I can see that you are seeking information about the privacy requirements on organisations sending personal information overseas to another entity and also the data security obligations that arise. The National Privacy Principles related to these issues are NPP 9 (transborder data flows), NPP 2 (Use and Disclosure, in particular 2.1(a) and 2.3) and NPP4 (Data security). You can access a copy of the principles and Guidelines to the National Privacy Principles at http://www.privacy.gov.au/law/act/npp . I would also note that work is currently underway to incorporate material from the former Office of the Privacy Commissioner on the OAIC's website www.oaic.gov.au so these resources are likely to be available there in coming months.
Under the Freedom of Information Act 1982 you have a right to apply for access to a document of an agency (including the OAIC). Your email is framed as a request for information, not for any document(s). I accept that the name of the legislation is confusing in this regard in referring to 'information'. If you would like to make an FOI request, your request will need to provide information concerning the document(s) as is reasonably necessary to enable a responsible officer to identify the document(s).
If you are looking for documents that explain the rationale for the current privacy principles, you may find it useful to refer to the Australian Law Reform's Report 108 'For Your Information: Australian Privacy Law and Practice' available at http://www.alrc.gov.au/publications/repo... . The explanatory memorandum and parliamentary documents related to the new Australian Privacy Principles which commence in March 2014 as a result of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 are available at http://www.aph.gov.au/Parliamentary_Busi... (and the Act is on Comlaw).
I have dealt with your as an enquiry rather than an FOI request. If you still want to make an FOI request and need assistance in framing the request, please feel free to email or phone 1300 363 992.
I hope this information is helpful for you.
Your sincerely
Charine Bennett
Director, Legal Services
Ph: 1300 363 992
Fax: 02 9284 9666
Office of the Australian Information Commissioner - Protecting information rights – advancing information policy