Private and financial information moved overseas by organisations.

Christopher Bennett made this Freedom of Information request to Office of the Australian Information Commissioner

This request has been closed to new correspondence from the public body. Contact us if you think it ought be re-opened.

Office of the Australian Information Commissioner did not have the information requested.

Christopher Bennett

Dear Office of the Australian Information Commissioner,

Would you please inform me why it is not in contravention of the Privacy Act 1988 for an organisation to transfer or copy private and financial customer information overseas to another country and/or organisational entity, without the express permission of the customer.

In particular a bank, that is an Australian registered company and expected by customers to operate and administer their accounts in Australia, moving their account processing operations off shore and to a separate organisational entity.

What guarantee of information security should an organisation be able to give in this circumstance?

Yours faithfully,
Christopher Bennett

FOI, Office of the Australian Information Commissioner

Dear Mr Bennett

Thank you for your email.

I can see that you are seeking information about the privacy requirements on organisations sending personal information overseas to another entity and also the data security obligations that arise. The National Privacy Principles related to these issues are NPP 9 (transborder data flows), NPP 2 (Use and Disclosure, in particular 2.1(a) and 2.3) and NPP4 (Data security). You can access a copy of the principles and Guidelines to the National Privacy Principles at http://www.privacy.gov.au/law/act/npp . I would also note that work is currently underway to incorporate material from the former Office of the Privacy Commissioner on the OAIC's website www.oaic.gov.au so these resources are likely to be available there in coming months.

Under the Freedom of Information Act 1982 you have a right to apply for access to a document of an agency (including the OAIC). Your email is framed as a request for information, not for any document(s). I accept that the name of the legislation is confusing in this regard in referring to 'information'. If you would like to make an FOI request, your request will need to provide information concerning the document(s) as is reasonably necessary to enable a responsible officer to identify the document(s).

If you are looking for documents that explain the rationale for the current privacy principles, you may find it useful to refer to the Australian Law Reform's Report 108 'For Your Information: Australian Privacy Law and Practice' available at http://www.alrc.gov.au/publications/repo... . The explanatory memorandum and parliamentary documents related to the new Australian Privacy Principles which commence in March 2014 as a result of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 are available at http://www.aph.gov.au/Parliamentary_Busi... (and the Act is on Comlaw).

I have dealt with your as an enquiry rather than an FOI request. If you still want to make an FOI request and need assistance in framing the request, please feel free to email or phone 1300 363 992.

I hope this information is helpful for you.

Your sincerely

Charine Bennett
Director, Legal Services
Ph: 1300 363 992
Fax: 02 9284 9666

Office of the Australian Information Commissioner - Protecting information rights – advancing information policy

-----Original Message-----
From: Christopher Bennett [mailto:[FOI #81 email]]
Sent: Monday, 25 March 2013 7:42 AM
To: FOI
Subject: Freedom of Information request - Private and financial information moved overseas by organisations.

Dear Office of the Australian Information Commissioner,

Would you please inform me why it is not in contravention of the
Privacy Act 1988 for an organisation to transfer or copy private
and financial customer information overseas to another country
and/or organisational entity, without the express permission of the
customer.

In particular a bank, that is an Australian registered company and
expected by customers to operate and administer their accounts in
Australia, moving their account processing operations off shore and
to a separate organisational entity.

What guarantee of information security should an organisation be
able to give in this circumstance?

Yours faithfully,
Christopher Bennett

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #81 email]

Is [OAIC request email] the wrong address for Freedom of Information
requests to Office of the Australian Information Commissioner? If
so, please contact us using this form:
http://www.righttoknow.org.au/help/contact

Write your response as plain text. Only send PDF documents as a
last resort. Government guidelines make it clear that PDF is not an
acceptable format for you to use in the delivery of government
information.
http://www.righttoknow.org.au/help/offic...

Disclaimer: This message and any reply that you make will be
published on the internet. Our privacy and copyright policies:
http://www.righttoknow.org.au/help/offic...

If you find this service useful as an FOI officer, please ask your
web manager to link to us from your organisation's FOI page.


-------------------------------------------------------------------

**********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email
in error, we apologise for any inconvenience and request that you
notify the sender immediately and delete all copies of this email,
together with any attachments.
**********************************************************************

hide quoted sections