Transborder Data Flows of Personal Information – Model Contract Terms
INTRODUCTION
Modern business is increasingly borderless. Digital communication technologies have made it as easy to send information to the other side of the world, as it is to send to the other side of the street. This seamlessness has allowed organisations to globalise, and regions to specialise. It has opened up enormous opportunities for innovation and efficiency.
Victorian agencies regulated by the Privacy and Data Protection Act 2014 (Vic) are increasingly taking advantage of these opportunities. And where agencies do so, the Victorian community can benefit as well, through improved services, and more cost-effective government. But Victorians expect that their privacy will be protected, wherever their personal information is sent.
Victoria’s Privacy and Data Protection Act 2014 (Vic) (PDP Act) seeks to ‘balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector.’1
The ten Information Privacy Principles (IPPs) in Schedule 1 of the PDP Act set out minimum standards for how the Victorian government must manage personal information. IPP 9 (Transborder Data Flows) outlines how an organisation may transfer personal information about an individual to someone outside Victoria.
The basic idea in IPP 9 is that when personal information travels, privacy protection should travel with it.
IPP 9 is designed to ensure an organisation will only transfer an individual’s personal information out of Victoria where the personal information will have protection substantially similar to the PDP Act, or alternatively, where the individual consents, or is likely to consent.
The Office of the Victorian Information Commissioner (OVIC) has a number of functions and powers under the PDP Act. One of its functions is to develop and publish model terms capable of being adopted by an organisation in a contract or arrangement with a recipient of personal information being transferred by the organisation outside Victoria.2
This resource contains model contract terms (Model Terms) regarding the transfer of personal information outside Victoria. The Model Terms may be adopted (with or without adaptation) in an organisation’s contract with a recipient where personal information is transferred by the organisation outside Victoria. Some links to parts of the PDP Act and the IPPs are also explained.
This guide and the Model Terms are not prescriptive. They are intended to be tools to help organisations comply with IPP 9.
Each organisation will need to decide whether or not the Model Terms are appropriate for its own particular circumstances.
PRELIMINARIES
Key terms
IPP 9 regulates how an ‘organisation’ may transfer ‘personal information’ about an individual to someone who Victoria.
Organisation
Most of the state government, local government and Victorian statutory authorities are governed by the PDP Act. Some exemptions apply.
An ‘organisation’ is defined in the PDP Act to cover:
- a range of Victorian public sector bodies or individuals, including Ministers, Parliamentary Secretaries, public sector agencies, municipal councils, statutory authorities established or appointed for a public purpose, courts, tribunals and Victoria Police; and
- contracted service providers who have agreed to be bound by the Information Privacy Principles in the PDP Act and any applicable code of practice for acts and practices under the relevant State contract.3
Personal information
‘Personal information’ is defined in the PDP Act to mean:
- information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include information of a kind to which the Health Records Act 2001 (Vic) (HR Act) applies.4
For example, an individual’s name and address,5 telephone number6 and where an individual works are ‘personal information’.7
Personal information must be ‘recorded’ in a physical or electronic form. The PDP Act will not apply where the information only exists in someone’s mind.
The exclusion of health information from the PDP Act reflects the Victorian Parliament’s decision to deal with the privacy of health information within the HR Act.8
Application
IPP 9 applies where an organisation covered by the PDP Act (Organisation) transfers personal information to someone outside Victoria (Recipient). If the Recipient is not subject to a law or binding scheme which effectively upholds the principles of fair handling of the information similarly to the IPPs, you should consider whether to adopt the Model Terms in this Guide in any contract between the Organisation and the Recipient.
Compliance with IPP 9 is only one aspect of privacy compliance. It is likely Organisations will also need to consider the impact of other IPPs when transferring personal information to recipients outside Victoria, for example, IPP 2 (Use and Disclosure) and IPP 4 (Data Security).9
Commonwealth level
At the Commonwealth level, the Privacy Act 1988 (Cth) (Privacy Act) regulates the handling of personal information about individuals and provides a basis for nationally consistent regulation of privacy.10 The Privacy Act includes the Australian Privacy Principles that apply to the private sector and the Commonwealth public sector.
IPP 9 is similar to Australian Privacy Principle 8 (APP 8) in the Privacy Act. The main difference is that APP 8 deals with transfers of personal information to someone who is outside Australia.
Contracted service providers under a State contract that binds the outsourcing Organisation to comply with the IPPs for acts and practices under the contract may have to comply with both IPP 9 and APP 8 for different aspects of its activities. IPP 9 will apply to the contracted service provider’s acts and practices for the purpose of meeting its obligations under a State contract with an Organisation. Nevertheless, the APPS do not apply to acts and practices under State contracts: see section 7B(5) of the Privacy Act.
Text of IPP 9
IPP 9.1 states:
An organisation may transfer personal information about an individual to someone (other than the organisation or the individual) who is outside Victoria only if –
- the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Information Privacy Principles; or
- the individual consents to the transfer; or
- the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request; or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party; or
- all of the following apply –
- the transfer is for the benefit of the individual;
- it is impracticable to obtain the consent of the individual to that transfer;
- if it were practicable to obtain that consent, the individual would be likely to give it; or
- the organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles.
The six bases on which personal information may be transferred to someone outside Victoria are alternatives. This means only one needs to be met. In practice, several may be fulfilled at once.
IPP 9.1(a) and IPP 9.1(f) will commonly overlap because by including appropriate clauses in an enforceable agreement with a Recipient, the Organisation may both establish the reasonable belief required under IPP 9.1(a) and take a reasonable step under IPP 9.1(f).
Not all transfers of personal information by Organisations will have features that bring them within IPP 9.1(b) to (e). For example, when an Organisation decides to provide personal information to a shared federal-state resource to assist cross-border law enforcement or revenue protection, this arrangement is unlikely to be:
- with the consent of all relevant individuals (IPP 9.1(b));
- necessary for performance of a contract with relevant individuals or in response to an individual’s request (IPP 9.1(c));11
- necessary for performance of a contract in the interest of the individual (IPP 9.1(d)); or
- for the relevant individual’s benefit in circumstances where it was impracticable to obtain the individual’s consent or if it was practicable the individual would likely consent (IPP 9.1(e)).
Transfers of personal information that are not within IPP 9.1(b) to (e) may be transfers permitted by IPP 2. For example, some transfers may be made under agreements12 made by one or more of the groupings of Federal and State Ministers who hold similar portfolio responsibilities13 and meet periodically to discuss and coordinate collective action across the internal borders of Australia.
Therefore, Organisations seeking to transfer personal information about an individual to someone outside Victoria will often seek to rely on IPP 9.1(a) and (f) to permit such transfers. The Model Terms, if reflected appropriately in a binding contract for the purposes of IPP 9.1(a), will assist Organisations in complying with IPP 9.1(a) or (f), or both.
The appropriate use of the Model Terms in a binding contract between an Organisation and a Recipient could lead to the conclusion that an Organisation transferring personal information outside Victoria complies with:
- IPP 9.1(a) because the Recipient is subject to a contract that effectively upholds principles for the fair handling of the information that are substantially similar to the IPPs; or
- IPP 9.1(f) because the adapted Model Terms and the way the parties have followed them during their dealings are evidence of reasonable steps by the Organisation to ensure the information which it transferred will not be held, used or disclosed by the Recipient in a manner inconsistent with the IPPs.
MODEL TERMS WITH COMMENTARY
The Model Terms are to be read with the rest of this guide, in particular, the Commentary in the guide, and with the PDP Act itself. The guide is not prescriptive about how the Model Terms are to be used. The Model Terms are a guide only.
The Model Terms are likely to require adaptation to the particular circumstances of the parties to any given agreement. Although the Model Terms are set out as a stand-alone agreement, transborder dataflow clauses will often comprise only part of larger agreements dealing with many matters other than flows of personal information. In such cases, the terms ‘Recipient’ and ‘Organisation’ will need to be defined or replaced with the relevant terminology used in the larger agreement.
The Model Terms and Commentary is available below.
- PDP Act section 5(a).
- PDP Act section 8C(1)(b).
- PDP Act section 13.
- PDP Act section 3.
- Duggan v Moira Shire Council, Unreported, VCAT Reference No. G394/2004 (Senior Member Preuss, 9 February 2005); Complainant P v Local Council [2005] VPrivCmr 2; Complainant D v Minister [2003] VPriv Cmr 4; Complainant H v Local Council [2004] VPrivCmr 2.
- An individual’s mobile telephone number: Complainant K v Local Council [2004] VPrivCmr 5; an individual’s work telephone number: Complainant M v Tertiary Institution [2004] VPrivCmr 7.
- Seven Network (Operations) Ltd v Media Entertainment & Arts Alliance (2004) 148 FCR 145.
- An organisation under the PDP Act may also be an organisation under the HR Act. The HR Act contains Health Privacy Principle (HPP) 9, which is similar to IPP 9 except that HPP 9 deals with the transfer of ‘health information’ (not ‘personal information’ under the PDP Act) to someone who is outside Victoria. So if the organisation transfers information containing ‘personal information’ under the PDP Act as well as ‘health information’ under the HR Act to someone who is outside Victoria, the organisation will need to comply with both IPP 9 and HPP 9 unless the organisation is relevantly exempt under the PDP Act and the HR Act.
- The website of the Office of the Victorian Information Commissioner contains information such as Guidelines and resources about the IPPs and other relevant background materials for reference.
- Privacy Act 1988 (Cth) section 2A(c).
- Note this sub-clause refers (among other things) to transfers ‘necessary … for the implementation of pre-contractual measures taken in response to the individual’s request’. The requirement for a request from the individual will probably mean the sub-clause may rarely be relevant to large-scale government data transfers. Alternatively, transfers may be authorised by another Victorian statute.
- Some agreements, such as Memoranda of Understanding, may not be binding and therefore would not be regarded as a ‘binding scheme or contract’ for the purposes of IPP 9.1(a). Moreover, multi- jurisdictional bodies, such as Ministerial Councils, may not be directly subject to the PDP Act where they are exempt from the definition of ‘public sector organisation’ as being an ‘exempt body’ under s 4 of the Public Administration Act 2004 (Vic).
- For example, Council of Australian Governments (COAG, comprising the Prime Minister, Premiers and Chief Ministers) or various Ministerial Councils, such as the Standing Committee of Attorneys-General (SCAG), the Australian Health Ministers’ Conference (AHMC) and the Australasian Police Ministers’ Council.