Skip to Content

IPP 9: Transborder data flows

    Document version: IPP 9: Transborder data flows 2019.A (consultation draft), 16 May 2019.

    9.1

    IPP 9 regulates the transfer of data outside of Victoria – either interstate or overseas. In this context, the term ‘data’ means personal information as defined in the Key Concepts chapter. The term ‘transfer’ is not defined in the PDP Act. The Macquarie Australian Dictionary defines ‘transfer’ as ‘carry or send from one place, person, etc, to another’.

    9.2

    The development of new technologies and the increase in the outsourcing of services by the Victorian public sector has meant transborder data flows between organisations have become increasingly common. The protections of the PDP Act apply to personal information held by Victorian public sector organisations regardless of the location of their information collection and handling practices.1 However, Victoria’s privacy law does not apply to information after it is received by someone who is not subject to the PDP Act. IPP 9 aims to ensure that, when personal information travels, privacy protection travels with it.

    9.3

    IPP 9 does not restrict transfers to the individual who is the subject of the information. As with other disclosures, organisations should be mindful of any overriding statutory or other duties of confidentiality or secrecy that might restrict such a transfer. Organisations should also always ensure data security obligations under IPP 4 are met.

    9.4

    IPP 9 also does not apply where both the sender and recipient are part of the same organisation, such as when an organisation communicates with or transfers information to staff who are located or travelling interstate or overseas.

    9.5

    Like other provisions in the PDP Act, IPP 9 is interpreted in a manner compatible with the privacy and other rights of the individual, insofar as this is consistent with the purpose and objects of the PDP Act.2 Where possible, organisations should endeavour to ensure privacy protections accompany any transfer of information. Where such protections are not in place and the organisation seeks to rely on IPP 9.1(b) to (e) for the transfer, it is expected this would only occur where the individual’s interests in favour of the transfer override their interests in protecting the privacy of their information or where the privacy risk is relatively small.

    9.6

    A Victorian law that requires transborder transfers of personal information will override IPP 9 to the extent of any inconsistency.3 Commonwealth laws may also prevail over the PDP Act. For example, mutual assistance laws may provide an alternative mechanism for authorising international data transfers relating to criminal investigations and prosecutions and recovery of the proceeds of crime.4 Exemptions in the PDP Act may also be relevant, for example, where police reasonably believe it is necessary not to comply with IPP 9 when carrying out particular law enforcement activities or where courts or tribunals carry out their judicial or quasi-judicial functions.

    9.7

    Other than under other Victorian or Commonwealth laws, personal information may only be transferred outside Victoria under one of six grounds set out in IPP 9:

    • the organisation reasonably believes the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the IPPs – IPP 9.1(a); or
    • the individual consents to the transfer – IPP 9.1(b); or
    • the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request – IPP 9.1(c); or
    • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party – IPP 9.1(d); or
    • all of the following apply—
      • the transfer is for the benefit of the individual;
      • it is impracticable to obtain the consent of the individual to that transfer;
      • if it were practicable to obtain that consent, the individual would be likely to give it – IPP 9.1(e); or
    • the organisation has taken reasonable steps to ensure the information which it has been transferred will not be held, used or disclosed by the recipient of the information inconsistently with the IPPs – IPP 9.1(f).
    9.8

    IPPs 9.1(a) and (f) will commonly overlap. Consent, and implied consent, plays a role in IPPs 9.1(b) and (c). Two other grounds require the organisation to anticipate the interests of an individual who is not party to the contract (IPP 9.1(d)) or the likelihood the individual would give consent if it were practicable to seek it from them (IPP 9.1(e)).

    9.9

    Unlike IPPs 9.1(a) and (f), transfers under IPPs 9.1(b) to (e) are not expressly required to be accompanied by privacy protections. While such transfers must only occur where it is in the interest or for the benefit of the individual, there remains a risk the individual’s information may, once outside of Victoria, be used or otherwise handled in a manner inconsistent with the IPPs. Inconsistent handling of personal information may, in some circumstances, adversely affect the personal privacy of individuals and individuals may have no (or only a limited) avenue for seeking redress outside Victoria.

    9.10

    The following checklist is designed to help organisations consider whether the transfer of data outside Victoria is permitted by IPP 9. Each of the permitted circumstances is described in more detail below. Note even if a proposed transfer meets the requirements of the IPP 9 grounds, the other IPPs are still applicable. IPP 4 (Data Security) is particularly relevant throughout any transborder data flow.

    When is a transborder data flow permitted by IPP 9?

    9.1(a) Is the intended recipient subject to privacy protections equivalent to the PDP Act?

    Consider:

    1. the form of the obligation the recipient is subject to (contractual, legislative, or other);
    2. the content of the obligation; and
    3. the enforceability of the obligation.

    If yes, the transfer is allowed under IPP 9. If no, consider a different ground under IPP 9.

    9.1(b) Has the individual consented to the transfer?

    Consider the following points in relation to an individual’s consent:

    1. the consent’s validity;
    2. the capacity of individual to consent;
    3. if the consent is informed (has the individual been notified about the consequences of the transfer?);
    4. if the consent specific;
    5. if the consent current (has the individual withdrawn consent at any time?); and
    6. if the consent voluntary (not a condition of receiving a good or service)?

    Remember to seek updated consent as appropriate.

    If yes, the transfer is allowed under IPP 9. If no, consider a different ground under IPP 9.

    9.1(c) Is the transfer necessary for performance of a contract or pre-contractual measures at the individual’s request?

    1. Was a contract entered into between your organisation and the individual?
    2. Is there a specific provision in the contract that requires, or grants discretion to, your organisation to disclose the type of personal information?
    3. Is there a close connection between the personal information and the purpose of the contract?
    4. Has a notice been provided to the individual prior to entering the contract that a transfer to a recipient outside of Victoria is likely to take place?
    5. Does the fulfillment of the contract or pre-contractual term require information to be transferred to another jurisdiction?

    If yes, the transfer is allowed under IPP 9. If no, consider a different ground under IPP 9.

    9.1(d) Is the transfer necessary for performance of a contract with a third party in the individual’s interest?

    1. Was a contract entered into between your organisation and a third party in the interest of the individual?
    2. Is there a specific provision in the contract that requires, or grants discretion to, your organisation to transfer the type of personal information?
    3. Was a notice provided to the individual prior to entering the contract that a transfer to a recipient outside Victoria is likely to take place?
    4. Does the fulfillment of the contract or pre-contractual term require information to be transferred to another jurisdiction?

    Remember to seek updated consent as appropriate.

    If yes, the transfer is allowed under IPP 9. If no, consider a different ground under IPP 9.

    9.1(e) Is the transfer for the individual’s benefit and it is impracticable to obtain consent or consent is likely to be given?

    1. Will the individual obtain a benefit from transferring the information to another jurisdiction?
    2. Is it impracticable to obtain the individual’s consent to the transfer?
    3. Is it likely consent would have been given? Given the benefit, in the usual course of events, would the individual be likely to consent?

    Remember to seek updated consent as appropriate.

    If yes, the transfer is allowed under IPP 9. If no, consider a different ground under IPP 9.

    9.1(f) Has your organisation taken reasonable steps to ensure the data will not be handled inconsistently with the IPPs?

    Consider what is ‘reasonable’ in the circumstances, including:

    1. the nature and sensitivity of the personal information;
    2. possible consequences for the individual if their information is mishandled;
    3. whether your organisation has appropriately limited the amount of data to be transferred; and
    4. whether independent legal advice is required.

    If the organisation is unable to transfer the data under the grounds of IPP 9, do not proceed with the data transfer.

    IPP 9.1(a): Recipient bound by principles substantially similar to the IPPs

    9.11

    IPP 9.1(a) permits organisations to transfer data where they reasonably believe the recipient is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of information that are substantially similar to the IPPs.

    9.12

    Organisations should check whether the proposed recipient is covered by a privacy law comparable to the PDP Act. Note not all Australian jurisdictions have privacy laws in force. As at 13 February 2019, privacy laws existed in Victoria, New South Wales, the Northern Territory, Tasmania, Queensland, the Australian Capital Territory and the Commonwealth.5 Whilst South Australia has adopted administrative privacy standards which have some application to South Australian state public sector organisations, there are no privacy laws currently in place.

    9.13

    Western Australia has neither a privacy law nor administrative standards in place. In 2007, the Information Privacy Bill 2007 (WA) (Privacy Bill) was introduced to the Western Australian Parliament but it was not passed. Since 2007, there have been discussions to introduce the Privacy Bill again, but as at 13 February 2019, it has not been passed.

    9.14

    If you have queries about the application or coverage of privacy laws operating in other jurisdictions, you are encouraged to seek independent legal advice. You may also wish to contact the relevant oversight body or responsible government agency – see Figure 1 and Figure 2 below, current as at 13 February 2019.

    Figure 1: Australian Privacy Jurisdictions

    Privacy Laws or Standards Oversight Body
    VIC Privacy and Data Protection Act 2014 (Vic)
    www.legislation.vic.gov.au
    Office of the Victorian Information Commissioner
    www.ovic.vic.gov.au
    Health Records Act 2001 (Vic)
    www.legislation.vic.gov.au
    Office of the Health Complaints Commissioner, Victoria
    www.health.vic.gov.au/hsc
    NSW Privacy and Personal Information Protection Act 1998 (NSW);

    Health Records and Information Privacy Act 2002 (NSW)
    www.legislation.nsw.gov.au

    Information and Privacy Commission New South Wales www.ipc.nsw.gov.au/
    QLD Information Privacy Act 2009 (Qld)
    http://www.legislation.qld.gov.au
    Office of the Information Commissioner, Queensland
    www.oic.qld.gov.au
    TAS Personal Information Protection Act 2004 (Tas)
    www.thelaw.tas.gov.au
    Ombudsman, Tasmania
    www.ombudsman.tas.gov.au
    SA No privacy law, but see Cabinet Administrative Instruction to comply with Information Privacy Principles Instruction (originally issued in 1989, last re-issued on 20 June 2016)
    https://www.archives.sa.gov.au/content/privacy-law-sa principles.html
    Privacy Committee, South Australia
    https://government.archives.sa.gov.au/content/privacy-committee-sa 
    WA No privacy law or administrative privacy regime Not applicable
    NT Information Act 2002 (especially Part 5)
    https://legislation.nt.gov.au
    Office of the Information Commissioner, Northern Territory
    www.infocomm.nt.gov.au
    ACT Information Privacy Act 2014 (ACT)
    https://www.legislation.act.gov.au/
    Office of the Australian Information Commissioner
    www.oaic.gov.au
      Health Records (Privacy and Access) Act 1997
    www.legislation.act.gov.au
    Australian Capital Territory, Human Rights Commission
    http://hrc.act.gov.au/health/health-records/
    CTH Privacy Act 1998 (Cth)
    www.legislation.gov.au
    Office of the Australian Information Commissioner
    www.oaic.gov.au

    Figure 2: International Privacy Jurisdictions

    Privacy Laws or Standards Oversight Body
    New Zealand Privacy Act 1993
    www.legislation.govt.nz
    Office of the Privacy Commissioner
    www.privacy.org.nz
    European Union General Data Protection Regulation (GDPR)
    https://eur-lex.europa.eu/homepage.htmlOVIC Guidance on the GDPR
    https://ovic.vic.gov.au/resource/the-gdpr-eu-general-data-protection-regulation/
    European Data Protection Board
    https://edpb.europa.eu/edpb_enLinks to the European Member States Oversight Bodies
    https://edpb.europa.eu/about-edpb/board/members_enLink to the European Union Oversight Body:European Data Protection Supervisor
    https://edps.europa.eu/edps-homepage_enLink to non-EU countries deemed to have an adequate level of data protection by the European Commission
    https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
    United States (federal) No general national privacy law. The Office of Management and Budget (OMB) issues guidance on the Privacy Act of 1974:
    https://www.whitehouse.gov/omb/information-regulatory-affairs/privacy/However, the Federal Trade Commission oversees the privacy of consumers.
    https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection 
    9.15

    Where a privacy law operates in the recipient’s jurisdiction, organisations should be aware that, while there is likely to be many similarities, there may also be some significant differences that could affect a data transfer. For example, the privacy law operating in the recipient’s jurisdiction may not apply to the data transfer or that law may authorise certain uses or disclosures not regarded as appropriate or legitimate in Victoria. These types of issues are discussed further in the following sections.

    9.16

    OVIC does not have legislative authority to decide whether a privacy law, scheme or contract in another jurisdiction provides substantially similar privacy protection for the purposes of IPP 9. Nor does OVIC have authority to issue a ‘whitelist’ of persons or bodies regarded as subject to adequate protections for the handling of personal information. Each case needs to be assessed on its merits, taking into account the circumstances of the particular data transfer that is proposed or has been undertaken.

    Assessing if the personal information recipient is subject to privacy protections equivalent to the PDP Act
    9.17

    To merit the description ‘substantially similar’, the organisation proposing to transfer data will need to consider whether the recipient is subject to equivalent privacy protections. This will involve consideration of:

    • the extent to which the recipient is subject to the relevant law, binding scheme or contract;
    • the extent to which principles are upheld effectively under that law, binding scheme or contract; and
    • the degree to which the relevant principles are sufficiently similar to Victoria’s IPPs.
    9.18

    These considerations are essentially about:

    • Form of obligation: what form of regulatory mechanism is used to impose fair handling obligations on the recipient – law, binding scheme or contract?
    • Content of principles: which privacy or data protection rights are included in the fair handling principles the recipient is required to uphold?
    • Enforceability: are the fair handling principles binding on the recipient and are they enforceable?
    Form of obligation: Is the recipient subject to a law, binding scheme or contract?
    9.19

    This element of IPP 9.1(a) may be satisfied where, for example, the recipient is:

    • bound by a privacy or data protection law that applies in the recipient’s jurisdiction;
    • required to comply with some other law that imposes data collection and handling obligations in respect of personal information, for example, some criminal law and taxation statutes expressly authorise and prohibit specified uses and disclosures, permit retention of some data and require destruction after a set time or under specified circumstances and preserve a right of access to the person’s own information;
    • subject to an enforceable industry scheme or privacy code, irrespective of whether the recipient was obliged or volunteered to participate or subscribe to the scheme or code; or,
    • party to a contract that successfully incorporates s 17 of the PDP Act.
    9.20

    However, recipients may not be regarded as ‘subject to’ a law, binding scheme or contract where, for example:

    • the privacy or data protection law or regulations (or other law or regulations) exempt the recipient from having to comply with some or all of the fair handling principles;
    • there is an existing or proposed authority (such as a public interest determination or direction issued by a privacy commissioner or minister) allowing the recipient to breach any or all of the fair handling principles;
    • the data being transferred is not protected under the recipient’s privacy or data protection law, for example, due to a difference in definition or coverage;
    • the recipient is able to opt out of the binding scheme without notice and without returning or otherwise appropriately disposing of the data which had been transferred; or
    • the agreement is unenforceable, for example, with a Memorandum of Understanding or shared protocols.
    9.21

    Where privacy law coverage is patchy or non-existent in the recipient’s jurisdiction and there is no relevant industry scheme or code in place, organisations may seek to comply with IPP 9 by using a contract. OVIC’s Model Terms for Transborder Data Flows (Model Terms) contain useful guidance and standard clauses that can be used in contracts, regarding ensuring access and correction, audit rights and breach notifications.6

    Content of principles: Are the fair handling principles substantially similar to the IPPs?
    9.22

    IPP 9.1(a) does not require the recipient to be bound to uphold principles identical to the IPPs, nor must these principles be as stringent as the IPPs.7 The fair handling principles applying to the recipient must be ‘substantially similar’. This term suggests some allowance will be made for variations in wording and perhaps scope of privacy principles. Tailoring of privacy principles to meet specific needs and conditions of other jurisdictions, industries or parties to a data transfer may result in stronger or weaker protections. Such principles may still be regarded as substantially similar to the IPPs in the circumstances of a particular data transfer.

    9.23

    The approach for assessing whether the fair handling principles applying to the recipient are ‘substantially similar’ is likely to involve the following steps:

    • A side by side comparison of the IPPs and other principles, noting their similarities and differences.
    • An assessment of the importance of any similarities or differences, considering the essential features of the IPPs, the relevance of particular principles to the data transfer under consideration and the objects of the PDP Act.8
    9.24

    In general, personal information transferred out of Victoria should only be used and disclosed for legitimate purposes. For example, a fair handling principle allowing a recipient to use or disclose personal information for direct marketing purposes without the individual’s consent may not be regarded as substantially similar to the restrictions on use and disclosure in IPP 2.

    Enforceability: Does the relevant law, binding scheme or contract effectively uphold fair handling principles?
    9.25

    It is not enough that fair handling principles be in place. These principles must be capable of being ‘effectively upheld’. This means the principles should be enforceable. Mechanisms should be in place to promote compliance with the principles, enable complaints about alleged breaches to be independently investigated and provide appropriate redress to complainants for harm suffered as a result of the recipient’s failure to effectively uphold the principles.

    9.26

    For example, many privacy laws in Australasia, Canada and Europe provide for independent regulators and tribunals to promote compliance and investigate non-compliance. Mechanisms are included to enable complaints to be made and investigated. For example, binding codes may have a code administrator who can receive complaints. Provisions might make avenues available for seeking redress, including providing remedies for privacy breaches.

    9.27

    Contracts can be more problematic as the individuals whose data is being transferred cannot usually enforce them. Organisations seeking to use contracts to comply with IPPs 9.1(a) or (f) should consider including mechanisms which enable:

    • individuals to exercise their access and correction rights;
    • complaints to be independently investigated and appropriate redress to be provided for harm arising from a privacy breach;
    • compliance audits be undertaken; and
    • awareness measures be taken to promote compliance within the recipient organisation.
    9.28

    The Model Terms for Transborder Data Flows may assist organisations in complying with IPP 9(1)(a) or (f) in that:

    • the recipient is subject to a contract that effectively upholds principles for the fair handling of the information that are substantially similar to the IPPs – in accordance with IPP 9.1(a); or
    • the Model Terms and the way the parties have followed them during their dealings are evidence of reasonable steps by the organisation to ensure the information transferred will not be held, used or disclosed by the recipient of the information inconsistently with the IPPs – in accordance with IPP 9.1(f).
    • The Model Terms establish a relatively high level of protection by including, for example, matters not expressly dealt with by the IPPs but which may nevertheless arise in the context of compliance actions or complaint-handling. For example, the Model Terms include obligations for the recipient to notify the organisation of a security breach and to not engage in data matching without the organisation’s prior authority.9 Clauses such as these protect an individual’s privacy, promote clarity about what is (and is not) authorised by the contract and assist the organisation in meeting its other obligations, for example, under IPPs 2 and 4. Organisations are, of course, able to modify and adapt the Model Terms to fit their circumstances. Organisations may choose not to adopt some of the more stringent protections prescribed in the Model Terms where they exceed the obligations expressly set out in the IPPs. Or, organisations may decide to adopt or adapt the Model Terms, or include additional measures, or both, where the circumstances call for the inclusion of stronger safeguards.10

    IPP 9.1(b): Individual gives consent

    9.29

    IPP 9.1(b) allows organisations to transfer information interstate or overseas when they have an individual’s consent. Consent should be informed, voluntary, specific, current and made with legal capacity. The concept of consent is discussed further in these Guidelines under Key Concepts and IPP 2.1(b).

    9.30

    When seeking informed and specific consent from an individual for a transborder data transfer, an organisation should address (at a minimum):

    • the purpose of the transfer;
    • the personal information to be transferred;
    • the recipient’s location, where the data will be stored and any privacy laws applying to the transfer of the data. This may be problematic for some cloud storage services where data storage is fragmented across several jurisdictions. In these circumstances, it may be more appropriate to consider another service provider or rely on a different subsection of IPP 9.1;
    • what entities will be able to access the information;
    • whether and to whom the information may be further disclosed or transferred;
    • how the personal information will be handled by the recipient; and
    • the consequences for the individual of giving or failing to give consent.
    9.31

    Where data is to be transferred as part of a research project, refer to the use of consent and other mechanisms discussed in IPP 2.1(c).

    9.32

    IPP 9.1(b) allows an organisation to obtain consent from an individual to transfer their information to an interstate or overseas recipient who is not subject to substantially similar privacy protections. This potentially reduces the privacy protection of the information after it is transferred, so organisations should ensure individuals are properly informed of any reasonably foreseeable privacy risks associated with the transfer prior to obtaining the individual’s consent.

    Case Study 9A: Validity of consent

    The Complainant complained Organisation A made an unauthorised transfer of their personal information to a Software Platform Provider located in another country (which did not have similar privacy laws to Victoria).

    Organisation A sought consent from the Complainant to store their personal information using one of the Software Platform Provider’s cloud products. The Complainant consented to the transfer by Organisation A to the Software Platform Provider because the Complainant relied on Organisation A’s services and did not feel they had any alternative but to agree to the transfer.

    The following year the Software Platform Provider made significant changes to its cloud product and privacy features. However, Organisation A did not seek the Complainant’s consent again for future transfers of their personal information.

    To resolve the dispute, Organisation A agreed to allow the Complainant to provide their personal information and access Organisation A’s services without using a cloud product. Organisation A also agreed to improve its process to ensure the consent it seeks for transfers is valid (current, informed and voluntary).

    In this case, it was appropriate to offer an alternative method of transferring information without using a cloud product, however, this will not apply to all situations involving the use of cloud or other digital products.

    IPP 9.1(c): Necessary to perform a contract with the individual or for implementation of pre-contractual measures at the individual’s request

    9.33

    IPP 9.1(c) allows organisations to transfer information outside of Victoria where the transfer is necessary for:

    • the performance of a contract between the individual and the organisation; or
    • the implementation of pre-contractual measures taken in response to the individual’s request.
    9.34

    The transfer must be necessary or there must be a close connection between the data subject and the purpose of the contract. IPP 9.1(c) cannot be used for transfers of additional, non-essential information. Nor can IPP 9.1(c) be used to authorise transfers of information for a purpose unrelated to the performance of the contract or pre-contractual measures. Transfers of information carried out to implement pre-contractual measures must be initiated by the individual, not by the organisation or recipient. The meaning of ‘necessary’ is discussed under Key Concepts and IPP 2.

    9.35

    In many cases, consent may be an alternative basis for the transfer. For example, the organisation may expressly seek consent in the contract or, in some limited circumstances, consent may be implied.11

    IPP 9.1(d): Necessary to perform a contract with a third party in the individual’s interest

    9.36

    Under IPP 9.1(d), an organisation may transfer information outside of Victoria to conclude or perform a contract with a third party in the interest of the individual who is the subject of the information being transferred.

    9.37

    IPP 9.1(d) deals with transfers that are beneficial to the interests of the individual (that is, ‘in the interest of the individual’). The individual’s interest in protecting their privacy is one of these interests.

    9.38

    Again, necessity must be established. There should be a close and substantial connection between the individual’s interest and the purposes of the contract.

    9.39

    The transfer should not be carried out solely in the interest of the organisation or recipient. The individual’s interest must be served and the test for necessity must be met. See Key Concepts for the definition of ‘necessary’.

    IPP 9.1(e): For the individual’s benefit where impracticable to obtain consent or consent likely to be given

    9.40

    IPP 9.1(e) allows for transborder data flows where the data transfer is for the benefit of the data subject, it is impracticable to obtain the data subject’s consent and the organisation reasonably believes the data subject would consent.

    9.41

    The transfer must be for the data subject’s benefit. For example, IPP 9.1(e) is likely to permit the transfer of essential personal information to help identify and assist a seriously injured person involved in an overseas or interstate accident or disaster.

    9.42

    While such transfers for the benefit of the individual might ordinarily occur by consent, IPP 9.1(e) allows the transfer to proceed without consent if it is impracticable to obtain that consent and the individual would likely give consent if consent was sought. If the organisation is aware of the individual having previously expressed a wish not to have their information transferred in the circumstances, IPP 9.1(e) will not authorise the transfer.

    9.43

    For more information, refer to the discussion of ‘consent’ and ‘practicable’ in the Key Concepts and IPP 2.

    IPP 9.1(f): Reasonable steps to ensure data will not be handled inconsistently with the IPPs

    9.44

    IPP 9.1(f) authorises a transborder data flow if the organisation has taken reasonable steps to ensure the information transferred will not be held, used or disclosed by the recipient inconsistently with the IPPs.

    9.45

    The steps required to satisfy IPP 9.1(a) will often, in practice, amount to what is required by IPP 9.1(f). However, IPP 9.1(f) also allows transfers where the recipient is not bound by a law, binding scheme or contract that requires it to effectively uphold fair handing principles substantially similar to the IPPs. The primary focus of IPP 9.1(f) is on the reasonable steps taken by the organisation, instead of the privacy obligations binding the recipient.

    9.46

    For example, IPP 9.1(f) might be satisfied where the organisation takes practical steps to limit the amount of information transferred, arranges for agreements to be entered into to clarify permissible and prohibited uses and disclosures and secures the information from the time of transfer until its eventual return or destruction. Various (and often multiple) methods might be used to satisfy IPP 9.1(f) including legal, technological and administrative practices. Compliance with other IPPs may also dictate whether a transborder data flow is permissible, for example, whether the recipient can ensure appropriate security for the transferred data under IPP 4 Data Security.

    9.47

    Some examples of reasonable steps for transferring personal information under IPP 9.1(f) might include:

    • Privacy Impact Assessments (PIAs) – a PIA can help your organisation assess risks associated with a transfer and to implement appropriate security measures. You can find information about PIAs on OVIC’s website.
    • Technical security measures – a number of security controls can be implemented to secure personal information being transferred to an interstate recipient (for example, end-to-end encryption and the use of at rest encryption by the recipient of the personal information).
    • Cloud security assessment – the Victorian Government Chief Information Security Officer has produced a cloud security guide (including a sample assessment tool) to help organisations to identify risks and appropriate controls when considering using a cloud service provider.
    • Victorian Protective Data Security Framework and Five Step Action Plan – these documents may help organisations when considering the sensitivity of the personal information to be transferred and the potential impact in the event of a breach.

    Outsourcing arrangements

    9.48

    Organisations are increasingly outsourcing some of their functions or services to external service providers that are usually, but not always, private sector organisations. Where a Victorian government organisation outsources a function or service to a service provider outside Victoria, organisations may only transfer personal information to that service provider when one of IPP 9.1(a) to (f) applies.

    9.49

    Organisations should try to outsource functions and services and transfer personal information only to ‘contracted service providers’ (CSPs). An external service provider is considered a CSP when the outsourcing arrangement involves a ‘section 17’12 clause in a State contract. Outsourcing to CSPs is preferable because an organisation can require a CSP to comply with the IPPs. If the outsourcing contract requires the CSP to comply with the IPPs, the transborder data flow will likely be permitted under IPP 9.1(a), because the recipient is subject to the IPPs themselves.

    9.50

    Outsourcing functions or services and consequently transferring personal information only to CSPs is preferable. However, it will not always be possible or practical. For example, cloud service providers are unlikely to be CSPs.

    9.51

    Outsourcing arrangements to external service providers other than CSPs may also be permitted by IPP 9.1(a) even though the service provider is not bound by the IPPs themselves. As discussed under IPP 9.1(a), if the organisation can demonstrate a reasonable belief the recipient is subject to a substantially similar law, binding scheme or contract, the transborder data flow is permitted. The jurisdictional comparison tables in this chapter (Figures 1 and 2) provide organisations some guidance.

    9.52

    Where organisations use a cloud service provider with servers outside Victoria to store personal information, this is a transborder transfer and organisations must be able to rely on one of IPP 9.1(a) to (f). For example, organisations could rely on:

    • IPP 9.1(a) – if the organisation reasonable believes the cloud service provider is subject to a substantially similar law, binding scheme or contract.
    • IPP 9.1(b) – if the organisation seeks the individuals’ consent for the transfer and use of the cloud provider. However, if consent is not collected and recorded when the information is collected, obtaining consent at a later date can be a time-consuming task.
    • IPP 9.1(f) – if the organisation can demonstrate they took reasonable steps to ensure information transferred would not be held, used or disclosed by the recipient inconsistently with the IPPs. Reasonable steps in this context include contractual requirements, technical measures such as encryption or data security techniques part of compliance with IPP 4.
    1. The intended extra-territorial reach of the PDP Act is illustrated in section 4(1) of the PDP Act which expressly states an organisation is taken to hold information ‘irrespective of where the document is situated, whether in or outside Victoria’.
    2. Section 32 of the Charter of Human Rights and Responsibilities Act 2006 (Vic) requires all statutory provisions (including those contained in the PDP Act) be interpreted in a way that is compatible with human rights, including the right to privacy, insofar as it is possible to do so consistently with the statute’s purpose.
    3. Section 6(1) of the PDP Act provides other provisions prevail where there is inconsistency.
    4. For information on the operation of mutual assistance laws, see the Fact Sheets, key legislation and other related documents available from the Commonwealth Attorney-General’s Department’s website.

    5. Health privacy laws have also been enacted in the Australian Capital Territory, New South Wales, Victoria and Queensland. The Queensland Information Privacy Act 2009 applies to the health department, who must comply with the National Privacy Principles in that Act. Also in Queensland, confidentiality of information that identifies individuals that have received public sector health services, is a requirement of the Hospital and Health Boards Act 2011.
    6. Office of the Victorian Information Commissioner, Model Terms for Transborder Data Flows, Guidelines, May 2019.
    7. In contrast, any Code of Practice developed and approved under Part 3 of the PDP Act must prescribe standards ‘at least as stringent as the standards prescribed by the Information Privacy Principles’; sections 21(2) and 22(3)(b) of the PDP Act.
    8. Section 8A(2) of the PDP Act (Vic) requires the Information Commissioner to have regard to the objects of the PDP Act in performing his or her functions and exercising his or her powers under the PDP Act (Vic). The objects of the PDP Act are set out in section 5 and are: (a) to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector; (b) to balance the public interest in promoting open access to public sector information with the public interest in protecting its security; and (c) to promote awareness of responsible personal information handling practices in the public sector; and (d) to promote the responsible and transparent handling of personal information in the public sector; and (e) to promote responsible data security practices in the public sector.
    9. Note the Information Commissioner has no power under the PDP Act to issue binding guidelines. In contrast, legally binding guidelines can be issued by the Health Services Commissioner under the Health Records Act 2001 (Vic) and the Federal Privacy Commissioner under the Privacy Act 1988 (Cth). Organisations can nevertheless choose to bind service providers to comply with any particular relevant guidance issued by the Information Commissioner by, for example, adapting the relevant model terms in OVIC’s guidance: Model Terms for Transborder Data Flows.
    10. Office of the Victorian Information Commissioner, Model Terms for Transborder Data Flows, Guidelines, May 2019.
    11. See E v Money Transfer Service [2006] PrivCmrA 5.
    12. PDP Act (Vic) s 17(2) provides: ‘A State contract may provide for the contracted service provider to be bound by the Information Privacy Principles and any applicable code of practice with respect to any act done, or practice engaged in, by the contracted service provider for the purposes of the State contract in the same way and to the same extent as the outsourcing party would have been bound by them in respect of that act or practice had it been directly done or engaged in by the outsourcing party.’
    Back to top

    Subscribe To Our Newsletter

    Join our mailing list to receive the latest news and updates from our team.

    I'm interested in

    You have Successfully Subscribed!