Transborder privacy control [was: [LINK] Mumbai Jumbo]

Chirgwin, Richard Richard.Chirgwin@informa.com.au
Tue, 18 Feb 2003 14:13:18 +1000


Stephen - transparacy is important, however. If Amex declines to explain how
privacy is protected through its outsourcing chain, then that transparency
doesn't exist.

There's a gap in the NPPs, isn't there (well, I guess you could argue
there's a million gaps, but I'm thinking of one in particular...)?

Imagining: NPP 5.1(b)
An organisation shall ensure that where it passes personal information to a
sub-contractor, that contractor's privacy policy is in accordance with NPP
2.
5.1(c)
Sub-contractor privacy policies as described in 5.1(b) shall be made
available under the provisions of this provision, regardless of the domicile
of the sub-contractor.

...Alas, it's probably a pipe dream. Do another 399,999 Linkers want to
march with me on Sunday demanding that personal data be kept away from
offshore subcontractors?

Richard Chirgwin

> -----Original Message-----
> From: Stephen Wilson [mailto:swilson@securenet.com.au]
> Sent: Tuesday, 18 February 2003 12:35
> To: link@www.anu.edu.au
> Subject: Transborder privacy control [was: [LINK] Mumbai Jumbo]
> 
> 
> 
> 
> > -----Original Message-----
> > From: Damien Miller [mailto:djm@mindrot.org]
> > Sent: Tuesday, February 18, 2003 11:22 AM
> > To: Ash Nallawalla
> > Cc: 'Russell Ashdown'; link@www.anu.edu.au
> > Subject: Re: [LINK] Mumbai Jumbo
> > 
> > > > ... Is it acceptable 
> > > > to have the private credit card accounts of Australian
> > > > residents available online in a foreign country?
> > > 
> > > Yes, it's fine ... You would still be able to take Amex 
> to court in Australia if
> > > something went wrong.
> > 
> > Acutally it may be different - as you are dealing with a 
> non-Australian 
> > support company any information you give may not be covered 
> by our privacy laws.
> 
> 
> It is not actually necessary for the other jurisdiction to 
> have privacy laws (although it is better if it does).  What 
> is necessary is that the sender of personal information to a 
> recipient in another jurisdiction has made sure that the 
> privacy of that information will remain reasonably protected. 
> 
> NPP 9 states: 
> 
> "An organisation in Australia ... may transfer personal 
> information ... to someone ... who is in a foreign country only if:
> "(a) the organisation reasonably believes that the recipient 
> of the information is subject to a law, binding scheme or 
> contract which effectively upholds principles for fair 
> handling of the information that are substantially similar to 
> the NPPs; or
> "(b) the individual consents to the transfer; or ...
> "(f) the organisation has taken reasonable steps to ensure 
> that the information which it has transferred will not be 
> held, used or disclosed by the recipient of the information 
> inconsistently with the NPPs." 
> 
> 
> So our law allows for means other than legislation to enforce 
> Australia's privacy principles over particular instances of 
> personal data sent overseas.  
> 
> 
> In my view, the current light touch privacy regime may 
> encourage organisations to:
> 
> (i)   require off-shore call centre contractors to have good 
> privacy policies and practices, 
> (ii)  better still, try to impose Australian style policies 
> and practices on contractors, 
> (iii) include those policies and practices in their contracts 
> with the off-shore call centre, 
> (iv)  most important of all, seek independent verification of 
> the contractor's actual adherance to those policies and practices. 
> 
> If things do indeed evolve this way then the focus will shift 
> onto the 'goodness' of privacy audits done in other countries.  
> 
> Cheers, 
> 
> Steve.
> 
> 
> Stephen Wilson
> Director, Identity Management 
> SecureNet Limited 
> 
> Level 4, 33 Saunders Street
> Pyrmont NSW  2009
> (Locked Bag 32, Pyrmont NSW 2009)
> 
> Ph. +61 2 8514 7350
> Mob +61 414 488 851
> Fax +61 2 8514 7301
> 
> 
> 
> 
> 
> 
> 
> 
> > _______________________________________________
> > Link mailing list
> > Link@mailman.anu.edu.au
> > http://mailman.anu.edu.au/mailman/listinfo/link
> > 
> 
> _______________________________________________
> Link mailing list
> Link@mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
>