Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Protection for Off-shoring Bill 2007

Schedule 1 Amendments

Financial Management and Accountability Act 1997

1  After Part 6

Insert:

Part 6A—Requirements for Commonwealth contracts

43A  Principles applying to Commonwealth contracts

(1)This section requires an agency entering into a Commonwealth contract for the provision of services in Australia, to take contractual measures to ensure that a contracted service provider for the contract cannot undertake work in relation to the contract, of a kind that would involve use of personally identifiable information, in a country other than Australia.

(2)The agency must ensure that the Commonwealth contract does not authorise a contracted service provider for a contract for the provision of services in Australia, to undertake work in relation to the contract, of a kind that would involve use of personally identifiable information, in a country other than Australia.

(3)The agency must also ensure that the Commonwealth contract contains provisions to ensure that the undertaking of work in relation to the contract, of a kind that would involve use of personally identifiable information, in a country other than Australia, is not authorised by a subcontract.

(4)For the purposes of this section:

agency has the meaning set out in section 6 of the Privacy Act 1988.

personally identifiable information has the meaning set out in section 65AAAB of the Trade Practices Act 1974.

subcontract has the meaning set out in section 95D of the Privacy Act 1988 .

             (5)  This section applies whether the agency is entering into the Commonwealth contract on behalf of the Commonwealth or in the agency’s own right.

Trade Practices Act 1974

2  After Division 1 of Part V

Insert:

Division 1AAAA - Disclosure of personally identifiable information outside Australia

65AAAA  Overview

                   This Division sets out what is meant by the disclosure of personally identifiable information outside Australia. A corporation is prohibited from engaging in certain conduct in relation to disclosure of personally identifiable information outside Australia (see sections 65AAAC and 75AZRA).

65AAAB  Definitions

                   In this Division:

Affiliate means any company that controls, is controlled by, or is under common control with another company

Consumer means an individual who obtains from a corporation products or services which are to be used primarily for personal, family or household purposes, and also means the legal representative of such an individual

Nonaffiliated third party means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the corporation, but does not include a joint employee of such corporation

Personally identifiable information means information including:

                     (a)  Name

                     (b)  Postal address

                     (c)  Financial information

                     (d)  Medical records

                     (e)  Date of birth

                      (f)  Phone number

                     (g)  E-mail address

                     (h)  Medicare number

                      (i)  Mother’s maiden name

                      (j)  Driver’s licence number;

                     (k)  Tax file number.

65AAAC  Transmission of information

                   A corporation may not disclose personally identifiable information relating to a consumer to any branch, affiliate, subcontractor, or unaffiliated third party located in a country other than Australia, unless:

                     (a)  the corporation provides the notice of privacy protection set out in section 65AAAD;

                     (b)  the consumer is given the opportunity, before the time that such information is initially disclosed, to object to the disclosure of such information to such branch, affiliate, subcontractor, or unaffiliated third party located in a country other than Australia; and

                     (c)  the consumer is given an explanation of how the consumer can exercise the nondisclosure option set out in paragraph (b).

65AAAD  Notice requirements

(1)If a corporation transmits personally identifiable information to entities for processing outside Australia, at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a corporation must provide a clear and conspicuous disclosure to such consumer in writing or in electronic form of the corporation’s policies and practices with respect to the transmission of personally identifiable information, consistent with subsection (2).

(2)The disclosure required by subsection (1) must include:

(a)     information informing the consumer in simple language:

                              (i)  that the corporation transmits personally identifiable information to entities for processing outside Australia;

                             (ii)  of the privacy laws of the country to which personally identifiable information will be sent;

                            (iii)  of any additional risks and consequences to the privacy and security of an individual’s personally identifiable information that may arise as a result of the processing of such information outside Australia; and

                            (iv)  of any additional measures the corporation is taking to protect the personally identifiable information transmitted for processing outside Australia; and

(b)     a certification that:

                              (i)  the corporation has taken reasonable steps to identify the locations where personally identifiable information is transmitted by such entities;

                             (ii)  attests to the privacy and security of the personally identifiable information transmitted for processing outside Australia; and

                            (iii)  states the reasons for the determination by the corporation that the privacy and security of such information is maintained.

65AAAE  Effect on Business Relationship

                   A corporation must not discriminate against a consumer because the consumer has objected to the disclosure under paragraph 65AAAC(b).

3  After section 75AZR

Insert:

75AZRA  Disclosure of personally identifiable information outside Australia  

             (1)  A corporation must not transmit personally identifiable information for processing outside Australia other than in accordance with section 65AAAC.

Penalty:  2,000 penalty units.

Note 1:       The penalty specified above is the maximum penalty that may be imposed on a corporation: subsection 4B(3) of the Crimes Act 1914 does not apply.

             (2)  Subsection (1) is an offence of strict liability.

Note 1:       Chapter 2 of the Criminal Code sets out the general principles of criminal responsibility.

Note 2:       For strict liability, see section 6.1 of the Criminal Code.