Transborder privacy control [was: [LINK] Mumbai Jumbo]
Tue, 18 Feb 2003 14:13:18 +1000
Stephen - transparacy is important, however. If Amex declines to explain how
privacy is protected through its outsourcing chain, then that transparency
There's a gap in the NPPs, isn't there (well, I guess you could argue
there's a million gaps, but I'm thinking of one in particular...)?
Imagining: NPP 5.1(b)
An organisation shall ensure that where it passes personal information to a
Sub-contractor privacy policies as described in 5.1(b) shall be made
available under the provisions of this provision, regardless of the domicile
of the sub-contractor.
...Alas, it's probably a pipe dream. Do another 399,999 Linkers want to
march with me on Sunday demanding that personal data be kept away from
> -----Original Message-----
> From: Stephen Wilson [mailto:firstname.lastname@example.org]
> Sent: Tuesday, 18 February 2003 12:35
> To: email@example.com
> Subject: Transborder privacy control [was: [LINK] Mumbai Jumbo]
> > -----Original Message-----
> > From: Damien Miller [mailto:firstname.lastname@example.org]
> > Sent: Tuesday, February 18, 2003 11:22 AM
> > To: Ash Nallawalla
> > Cc: 'Russell Ashdown'; email@example.com
> > Subject: Re: [LINK] Mumbai Jumbo
> > > > ... Is it acceptable
> > > > to have the private credit card accounts of Australian
> > > > residents available online in a foreign country?
> > >
> > > Yes, it's fine ... You would still be able to take Amex
> to court in Australia if
> > > something went wrong.
> > Acutally it may be different - as you are dealing with a
> > support company any information you give may not be covered
> by our privacy laws.
> It is not actually necessary for the other jurisdiction to
> have privacy laws (although it is better if it does). What
> is necessary is that the sender of personal information to a
> recipient in another jurisdiction has made sure that the
> privacy of that information will remain reasonably protected.
> NPP 9 states:
> "An organisation in Australia ... may transfer personal
> information ... to someone ... who is in a foreign country only if:
> "(a) the organisation reasonably believes that the recipient
> of the information is subject to a law, binding scheme or
> contract which effectively upholds principles for fair
> handling of the information that are substantially similar to
> the NPPs; or
> "(b) the individual consents to the transfer; or ...
> "(f) the organisation has taken reasonable steps to ensure
> that the information which it has transferred will not be
> held, used or disclosed by the recipient of the information
> inconsistently with the NPPs."
> So our law allows for means other than legislation to enforce
> Australia's privacy principles over particular instances of
> personal data sent overseas.
> In my view, the current light touch privacy regime may
> encourage organisations to:
> (i) require off-shore call centre contractors to have good
> privacy policies and practices,
> (ii) better still, try to impose Australian style policies
> and practices on contractors,
> (iii) include those policies and practices in their contracts
> with the off-shore call centre,
> (iv) most important of all, seek independent verification of
> the contractor's actual adherance to those policies and practices.
> If things do indeed evolve this way then the focus will shift
> onto the 'goodness' of privacy audits done in other countries.
> Stephen Wilson
> Director, Identity Management
> SecureNet Limited
> Level 4, 33 Saunders Street
> Pyrmont NSW 2009
> (Locked Bag 32, Pyrmont NSW 2009)
> Ph. +61 2 8514 7350
> Mob +61 414 488 851
> Fax +61 2 8514 7301
> > _______________________________________________
> > Link mailing list
> > Link@mailman.anu.edu.au
> > http://mailman.anu.edu.au/mailman/listinfo/link
> Link mailing list