Transborder privacy control [was: [LINK] Mumbai Jumbo]

Stephen Wilson
Tue, 18 Feb 2003 13:34:43 +1100

> -----Original Message-----
> From: Damien Miller []
> Sent: Tuesday, February 18, 2003 11:22 AM
> To: Ash Nallawalla
> Cc: 'Russell Ashdown';
> Subject: Re: [LINK] Mumbai Jumbo
> > > ... Is it acceptable 
> > > to have the private credit card accounts of Australian
> > > residents available online in a foreign country?
> > 
> > Yes, it's fine ... You would still be able to take Amex to court in Australia if
> > something went wrong.
> Acutally it may be different - as you are dealing with a non-Australian 
> support company any information you give may not be covered by our privacy laws.

It is not actually necessary for the other jurisdiction to have privacy laws (although it is better if it does).  What is necessary is that the sender of personal information to a recipient in another jurisdiction has made sure that the privacy of that information will remain reasonably protected. 

NPP 9 states: 

"An organisation in Australia ... may transfer personal information ... to someone ... who is in a foreign country only if:
"(a) the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the NPPs; or
"(b) the individual consents to the transfer; or ...
"(f) the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the NPPs." 

So our law allows for means other than legislation to enforce Australia's privacy principles over particular instances of personal data sent overseas.  

In my view, the current light touch privacy regime may encourage organisations to:

(i)   require off-shore call centre contractors to have good privacy policies and practices, 
(ii)  better still, try to impose Australian style policies and practices on contractors, 
(iii) include those policies and practices in their contracts with the off-shore call centre, 
(iv)  most important of all, seek independent verification of the contractor's actual adherance to those policies and practices. 

If things do indeed evolve this way then the focus will shift onto the 'goodness' of privacy audits done in other countries.  



Stephen Wilson
Director, Identity Management 
SecureNet Limited 

Level 4, 33 Saunders Street
Pyrmont NSW  2009
(Locked Bag 32, Pyrmont NSW 2009)

Ph. +61 2 8514 7350
Mob +61 414 488 851
Fax +61 2 8514 7301

> _______________________________________________
> Link mailing list