Jurisdiction - Australia
Reports and Analysis
Australia – Privacy: Cloud Computing And Cross-Border Data Flows.

12 May, 2014

 

Legal News & Analysis – Asia Pacific – Australia – Regulatory & Compliance

 

This explores the revised privacy legislation, effective on 12 March 2014, and its impact on Commonwealth departments and agencies.


Introduction


Previously, we discussed the amendments in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 that came into effect on 12 March 2014.

 

  • All personal information that is collected, used or disclosed by Commonwealth departments and agencies or their contractors is now subject to the Australian Privacy Principles (APPs). 
  • Commonwealth Departments and agencies areboth an “APP entity” and an “agency” for the purposes of the APPs.


Some of the key changes that will impact agencies are the new cross-border data flow requirements. Previously, these provisions only applied to the private sector. Commonwealth Departments and agencies now have specific obligations – and liabilities – where information is disclosed overseas. This can occur, for example:

 

  • where personal information is accessed from overseas as part of providing help desk or other services to a Commonwealth department and agency; or
  • depending on how “disclose” is interpreted, where Commonwealth departments and agencies or theircontractors store personal information in “the cloud”.


This Government Alert discusses these new obligations as well as related obligations under the policy issued by the Attorney-General.


APP Guidelines


The Office of the Australian Information Commissioner (OAIC) has issued Guidelines to assist agencies and organisations to comply with the APPs (APP Guidelines). References in this Government Alert to OAIC’s views are to what OAIC has stated in the APP Guidelines.


What’s New


As discussed further below, there are three new obligations that apply to the disclosure of personal information outside Australia:


1. APP entities must inform individuals whether their information is likely to be disclosed to overseas recipients and, if practicable, which countries.


2. Unless an exception applies, before any disclosure occurs, the APP entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to that information; and


3. The APP entity must continue to comply with the APPs, particularly APP 6 (use or disclosure of personal information) and 11.1 (security of personal information), and ensure that its contractual arrangements comply with section 95B (requirements for Commonwealth contracts) of the Privacy Act 1988 (Privacy Act).


However, even if an APP entity does all these things, the APP entity may still be responsible for any breach of privacy by the recipient.

 

Obligation To Inform – APP 1.4 And APP 5.2


New APP 1.3 requires all APP entities to publish a privacy policy which sets out how they manage personal information. New APPs 1.4(f) and (g) require that this APP privacy policy include the following information:


a) whether the entity is likely to disclose personal information to overseas recipients;


b) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.


APP 1.4 is an ongoing obligation. In addition to this, APP 5.1 requires that:


At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:


a) to notify the individual of such matters referred to in APP 5.2 as are reasonable in the circumstances; or


b) to otherwise ensure that the individual is aware of any such matters.


The matters specified in APP 5.2 include:


a) whether the APP entity is likely to disclose the personal information to overseas recipients; and


b) if the APP entity is likely to disclose the personal information to overseas recipients — the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.


Obligation To Take Reasonable Steps – APP 8.1


In addition to the obligations in APPs 1.4 and 5.2, APP 8.1 (cross-border disclosure of personal information)requires that:


Before an APP entity discloses personal information about an individual to a person (the overseas recipient):


a) who is not in Australia or an external Territory; and


b) who is not the entity or the individual;


the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than APP 1) in relation to the information.


APP 8 applies where an entity “discloses” to an overseas recipient “who is not the entity or the individual”. This means that it will not apply where a Commonwealth department or agency sends information to one of its offices overseas. By contrast, APP 8 will apply if an entity discloses personal information to a “related body corporate” located overseas.


Some examples of where disclosure may occur in a Commonwealth context are:

 

  • personal information is provided to another Commonwealth agency which is located overseas;
  • personal information is shared with another government; 
  • personal information is stored overseas;
  • personal information is provided to a contractor or service provider based in Australia, which passes it to a related body corporate which is located overseas; or
  • personal information is provided to a contractor or service provider based overseas.


The transfer of information overseas is particularly common in 24/7 arrangements such as call centres or IT support arrangements.


It is also becoming increasingly common for cloud computing to be used both to store data and to access centralised software or services. Personal information that is “in the cloud” may be stored in any one of a number of countries at any one time and the privacy protections in these countries may vary greatly.


Ongoing Liability Of Commonwealth Departments And Agencies – APP 8.2


It is important to read APP 8.1 with new section 16C. Section 16C applies where:


a) an APP entity discloses personal information about an individual to an overseas recipient; and


b) APP 8.1 applies to the disclosure of the information; and

 

c) the APPs do not apply to an act done, or a practice engaged in, by the overseas recipient in relation to the information.


In these circumstances, if the overseas recipient does something that would have been a breach of the APPs (had the APPs applied to the overseas recipient) then unless an exception applies:


[t]he act done, or the practice engaged in, by the overseas recipient is taken, for the purposes of this Act:


a) to have been done, or engaged in, by the (disclosing) APP entity; and


b) to be a breach of the APPs by the (disclosing) APP entity.


Exceptions To Section 16C


The general purpose of section 16C is to ensure that the individual whose personal information is disclosed still has protection against unauthorised use or disclosure of that information.


The corollary of this is that the discloser will not be responsible under section 16C if:

 

  • the recipient has some kind of Australian link such that it is subject to the Privacy Act (and hence the individual has remedies against them); or
  • an exception in APP 8.2 applies.


The three main exceptions in APP 8.2 are: equivalent law; consent; and required or authorised by law. These are each discussed below.


Equivalent Law – APP 8.2(a)


Agencies will not be liable under section 16C (and will not be required to take reasonable steps under APP 8.1) where:


the (disclosing) entity reasonably believes that:


a) the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information; and


b) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme


This exception is broadly in line with the overall intention of ensuring that individuals have a remedy –either under the Privacy Act or equivalent laws overseas – in relation to any unauthorised use or disclosure of their personal information. However, it is not a requirement that the individual actually has a remedy; it is enough that the disclosing entity “reasonably believes” that they will have.


It is important to note that:

 

  • while OAIC has provided some guidance as to how agencies can determine whether countries have equivalent remedies, it has not issued a list of those countries; 
  • if information is disclosed to multiple countries (for example as part of a cloud arrangements), the disclosing entity would need to be satisfied that each country to which the the information could be disclosed had equivalent protections; and
  • the other APPs – particularly the requirement in APP 6 to only disclose personal information for permitted purposes – will continue to apply.


Consent – APP 8.2(b)


Agencies will also not be liable under section 16C where the individual consents to the disclosure afterthe entity expressly informs the individual that if he or she consents to the disclosure of the information, APP 8.1 will not apply to the disclosure.


Interestingly, APP 8.2(b) does not require the agency to expressly inform the individual that section 16C will not apply, ie by disclosing they may be in the position of having no remedies against either the disclosing agency or the recipient. However, OAIC says that agencies “should” explain these consequences as part of seeking consent.


Required Or Authorised By Law – APP 8.2(c)


Agencies will also not be liable under section 16C where:


the disclosure of the information is required or authorised by or under an Australian law or a court/ tribunal order.


APP 8.2(c) applies only to “Australian law”. The definition of “Australian law” includes “a rule of common law or equity”. Contracts are not included in the definition. This means that an agency could still be liable under section 16C even where it is contractually required to provide the personalinformation. For example, there could be a contractual requirement to provide audit logs.


Section 6A(4) provides that an act or practice required by an applicable law of a foreign country will not
breach the APPs but only if it is done, or engaged in, outside Australia. Accordingly, it would not breach the APPs if a US based company transferred personal information stored in Europe to the US in order to comply with the PATRIOT Act, whereas it would be a breach to transfer personal information from Australia to the US (without the individual’s consent) pursuant to an order issued under the PATRIOT Act.


Other Exceptions


The other instances where agencies will not be liable under section 16C for disclosures only apply in limited circumstances:

 

  • serious threats to the “life, health or safety of any individual, or to public health or safety”;
  • suspected “unlawful activity, or misconduct of a serious nature, that relates to the entity’s functions or activities”;
  • diplomatic or consular functions;
  • disclosures by agencies pursuant to international information sharing agreements;
  • disclosures by agencies to foreign enforcement bodies for the purposes of enforcement related activities.


The permitted general situations in items 4 and 5 of section 16A are not exceptions for the purposes of APP 8. They relate to the establishment or exercise of a legal or equitable claim (item 4) and alternative dispute resolution (item 5). This means that these items can only be used to justify disclosure within Australia.


Application Of APP 8 (And Section 16C) To Storage Contracts


Unlike APP 6 – which applies to both “use” and “disclosure” – APP 8 only regulates “disclosure”. The term “disclose” is not defined in the Privacy Act. OAIC’s view is that:


An APP entity discloses personal information where it makes it accessible to others outside the entity and releases the subsequent handling of the information from its effective control.


OAIC has provided the following guidance as to what is a “disclosure”:

 

“Disclosure”   Not a “disclosure”
  • Inadvertent or unintentional release
  • Unauthorised release by an employee

 

  • Cyber-attacks or thefts
  • Routing personal information, in transit, through servers located outside Australia

 

OAIC also says that, depending on the terms of the contract, an agency that stores personal information in cloud arrangements based overseas will not need to comply with APP 8 as that is a “use” rather than “disclosure” of the personal information. This is because the entity will not have “release[d] the subsequent handling of the information from its effective control”.


OAIC states that the minimum contractual terms required for this to occur are:

 

  • a binding contract between the entity and the provider requires the provider only to handle the personal information for [the] limited purposes [of storage and ensuring the entity may access the information];
  • the contract requires any subcontractors to agree to the same obligations; and 
  • the contract gives the entity effective control of how the personal information is handled by the overseas recipient.


The downside for individuals of treating storage as a “use” rather than a “disclosure” is that there is no requirement to tell the individual that their information is being stored overseas. Individuals may not have consented to collection had they been aware that their information was being stored overseas.


The upside for individuals and downside for agencies of this interpretation is that agencies will remain potentially liable under the Privacy Act in the event of a failure by the cloud service provider to comply with the APPs when handling he information. This is because:

 

  • the handling of the information is interpreted as a use of that information by the agency; and
  • any acts or practices undertaken by the cloud service provider on behalf of the agency will generally be treated as having been done by the entity (see section 8(1) of the Privacy Act).

 

Attorney-General’s Policy


However these provisions are interpreted,Commonwealth departments and agencies still need to comply with the Australian Government Policy and Risk Management Guidelines for the Storage and Processing of Australian Government Information in Outsourced or Offshore ICT Arrangements (July 2013).


This policy does not prohibit the transfer of data overseas. However, agencies cannot enter into arrangements where personal information is held offshore unless:

 

  • the relevant portfolio Minister agrees that sufficient technological or other measures have been implemented to mitigate the risk of unauthorised access; and 
  • the Attorney-General also agrees.


The two Ministers approval requirement applies:

 

  • to both cloud and non-cloud arrangements; and
  • regardless of the level of privacy protection in the overseas country.


This policy does not apply to classified information. Classified information continues to be regulated by the Protective Security Framework and the Information Security Manual.


Other Caveats


The other important point to note is that even if:

 

  • agencies get consent from two Ministers; and
  • APP 8.1 and section 16C do not apply (either because there is no “disclosure” or because an exception in APP 8.2 applies),


agencies are still required to comply with the balance of the APPs. In particular they are still required to:

 

  • comply with the security obligations in APP 11.1;
  • ensure the contractual arrangement complies with section 95B of the Privacy Act; and
  • ensure that personal information is only used for a purpose permitted by APP 6.


Security – APP 11.1


APP 11.1 replaced IPP 4. It reads:


If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information:


a) from misuse, interference and loss; and


b) from unauthorised access, modification or disclosure.


For example, while it would not be a “disclosure” for the purposes of APP 8 if an agency’s local servers were hacked by an overseas entity, the APP entity would have breached APP 11.1 if it had failed to take “reasonable” steps to protect the information from “unauthorised access”.


Section 6(1) provides that an entity “holds” personal information if the entity has possession or control of a record that contains the personal information.


OAIC considers that (B.75):


The term ‘holds’ extends beyond physical possession of a record to include a record that an APP entity has the right or power to deal with. Whether an APP entity ‘holds’ a particular item of personal information may therefore depend on the particular information collection, management and storage arrangements it has adopted. For example, an APP entity ‘holds’ personal information where:

 

  • it physically possesses a record containing the personal information and can access that information physically or by use of an electronic device (such as decryption software); or
  • it has the right or power to deal with the personal information, even if it does not physically possess or own the medium on which the personal information is stored. For example, the entity has outsourced the storage of personal information to a third party but it retains the right to deal with it, including to access and amend that information.


This means that whenever a Commonwealth department or agency outsources its data management – whether that involves a locally hosted, an overseas hosted and/or a cloud solution – it needs to ensure that the contract supports compliance by the Commonwealth department or agency with APP 11.


Where information is “held” by an agency it will also have responsibility for:

 

  • ensuring that is properly backed up (APP 11.1); and
  • providing individuals with mechanisms to access (APP 12) and correct it (APP 13).

 

Accordingly, these obligations will also need to be contractually flowed down to the outsourced provider.


Other Specific Responsibilities – Section 95B


Section 95B was introduced into the Privacy Act in 2000. It relevantly reads:


1. [An] agency entering into a Commonwealth contract [must] take contractual measures to ensure that a contracted service provider for the contract does not do an act, or engage in a practice, that would breach an APP if done or engaged in by the agency.


2. The agency must ensure that the Commonwealth contract does not authorise a contracted service provider for the contract to do or engage in such an act or practice.


3. The agency must also ensure that the Commonwealth contract contains provisions to ensure that such an act or practice is not authorised by a subcontract.


Section 95 applies regardless of whether or not:

 

  • an exception in clause 8.2 applies; or
  • the provision of the data to the contracted service provider is a “use” or a “disclosure”.


Commonwealth Procurement Rules


Given these complexities it may be tempting for contracting officers to disregard any IT or other solutions that involve the cloud or overseas hosting.


However, Commonwealth departments and agencies have obligations under:

 

  • clause 5.3 of the Commonwealth Procurement Rules to treat all potential suppliers “equitably based on their commercial, legal technical and financial abilities” and not to discriminate against them based on “their size, degree of foreign affiliation or ownership, location, or the origin of their goods and services”; and
  • section 44 of the FMA (and equivalent provisions under the Public Governance, Performance and Accountability Act) to consider other solutions if they represent better value for money.


In addition to any direct cost savings, supporters claim that the cloud:

 

  • reduces the risk of system failure or data loss;
  • makes it easier to service different types of devices (eg tablets, smart phones, etc); and
  • improves productivity by allowing users to work from anywhere.


Contract With Provider


Clearly the terms of the contract with the provider are critical. In particular, contracts in which overseas providers will store or have access to personal information need to address the following aspects:

 

Requirement Factors to consider 
APP 1.4APP 5.2

 

  • Is there an obligation to obtain the Commonwealth department or agency’s consent (or at least inform the department or agency) if data is moved or new countries are added to the list of possible countries?
APP 6 
  • Does the contract provide that the provider can only handle the information for the limited purposes of storage and ensuring the APP entity may access the information?
  • Does the contract prohibit the contractor from disclosing the personal information to third  parties (including subcontractors) without the Commonwealth department or agency’s consent?
  • ·
APP 8.1 
  • Does the contract give the Commonwealth department or agency effective control of how the personal information is handled by the provider?
APP 11.1APP 1.4

APP 5.2

 

  • Does the contract contain adequate obligations on the contractor to secure the data? For example, is information encrypted and, if so, to what standard?
  • In what circumstances is the contractor (or its subcontractors or data centre providers) authorised to access, modify, use or disclose the data?
  • Does the contract contain adequate obligations on the contractor to back up the data?
APP 12 
  • Does the contract support the Commonwealth department or agency’s obligations to provide individuals with the opportunity to access their data?
APP 13 
  • Does the contract support the Commonwealth department or agency’s obligations to correct or supplement individuals’ personal information (both on request and of its own volition)?
Section 95B(1)
  • Does the contract prohibit the provider from doing an act or engaging in a practice that would breach an APP if done or engaged in by an agency?
Section 95B(3)
  • Does the contract flow the obligations down to subcontractors?
Enforcement 
  • What are the Commonwealth department or agency’s remedies if the contract is not complied with?
  • What obligations are there on the contractor to notify the department or agency of any privacy breaches?
  • What provision is there for the department or agency to carry out audits to assess the extent to which the contractor is complying?
  • What liability and indemnity arrangements apply to privacy breaches?
  • What are the individual’s remedies if the APPs are breached?

 

Tendering Process


It is also important for Commonwealth departments and agencies to use the tendering process to ask key questions about the management of personal information and in particular data security. For example:

 

  • Which countries will data be held in and what the privacy protections are in those countries?
  • How will the data be secured? For example:
    • Is there a data security plan in place?
    • What encryption devices are used?
    • Who has access to the data centre (physically or electronically)?
    • How is data transferred to and from the data centre?
  • Where, and in what format, are back-ups stored?


It is important to obtain this information prior to selecting a preferred tenderer as the hosting service provider is likely to have pre-existing contractual arrangements with each data centre provider which may be difficult to change during negotiations.


Similarly, it is important that appropriate privacy and security requirements be included in the draft contract released with the RFT to avoid contractors seeking to increase or change their bids during negotiations.

 

Conclusion And Pointers For Commonwealth Departments And Agencies


There are many situations where Commonwealth departments and agencies (or contractors acting on their behalf) will need to disclose personal information outside Australia. Where this occurs, Commonwealth departments and agencies needs to be able to demonstrate that the contractual arrangements:

 

  • comply with APP 6 (use and disclosure for permitted purposes), APP 8 (cross-border disclosures) and section 95B; and
  • support compliance by the department or agency with its obligations under the APPs, particularly APP 1.4, APP 5.2, APP 11.1, APP 12 and APP 13.


Commonwealth departments and agencies also need to ensure that the contract contains appropriate protections for any liability that the department or agency has under section 16C if the contractor or its subcontractors fails to comply with the APPs.

 

Ashurst Logo

 

For further information, please contact:

 

Gordon Hughes, Partner, Ashurst
gordon.hughes@ashurst.com

 

Sarah Ross-Smith, Partner, Ashurst
sarah.ross-smith@ashurst.com

 

Tim Brookes, Partner, Ashurst
tim.brookes@ashurst.com


Amanda Ludlow, Partner, Ashurst
amanda.ludlow@ashurst.com


Sophie Dawson, Partner, Ashurst
sophie.dawson@ashurst.com

 

Nada Maltaric, Ashurst
nada.maltaric@ashurst.com

 

Hyans Mach, Ashurst
hyans.mach@ashurst.com

 

John Bird, Ashurst
john.bird@ashurst.com

 

Georgina Adams, Ashurst
georgina.adams@ashurst.com

 

Ashurst Regulatory & Compliance Practice Profile in Australia

 

Homegrown Regulatory & Compliance Law Firms in Australia

 

International Regulatory & Compliance Law Firms in Australia

Comments are closed.