Australian Privacy Principle 8 - Cross-Border Disclosure of Personal Information
8.1 Before an organisation discloses personal information about an individual to an overseas recipient, they must ensure, as reasonable, that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information. An overseas recipient is expressed to be a ‘person.’
This APP is to be read in conjunction with Section 16C. It provides, basically, that where an overseas recipient is not itself bound by the APPs then the organisation itself is liable for any act by the overseas recipient in breach of the APP’s.
‘Persons’ are usually taken in law to be individuals or incorporated bodies. ‘Disclosure’ is considered to have occurred for purposes of the Act when the organisation grants access to information and releases it from its own control. It is furthermore a positive act and distinct from unauthorised access, or usage of information such as placing it on an internet server located overseas. It has to reach the recipient themselves before disclosure is considered to have been made.
As to what reasonable steps are to be taken, the OAIC recommends that organisations enter enforceable contracts to control the recipient’s treatment and use of the information.
8.2 The organisation need not take these steps if it is reasonably satisfied that the recipient is subject to laws that will protect the information in a similar way and the individual can access effective mechanisms of enforcement.
These steps are also not required if the individual consents to the overseas disclosure.