Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines

Professor Margaret Jackson and Marita Shelly

RMIT University©2008 School of Accounting & Law 2

Recent Headlines

• 500 Telstra jobs head to the Philippines

• NAB prepares to send more IT jobs to India

• More software roads lead to India

• Insurance outsourcing: India leads the way

• Westpac jobs off to India


Introduction

• Information or data protection principles seek to establish rules about how organisations and businesses can collect, use, store and disclosure information which can identify an individual.

• A legal regulatory environment for the handling personal information now exists in over 39 countries including within the European Union, the United States, Canada and Australia.

• Both India, which is estimated to have 46% of global Business Process Off-shorers (BPOs) and is currently the largest host of outsourced data processing in the world, and the Philippines, which is keen to grow its BPO industry, currently have no data protection legislation.

• NAB, Telstra, Qantas are examples of Australian companies involved in offshore outsourcing.


Trans-border Data Protection in Australia

• For the transfer of personal data outside of Australia by a public sector agency or organisation, the Privacy Act 1988 (Cth) is silent.

• However, the Act requires that all personal information is held in accordance with the Information Privacy Principles (IPPs).

• The IPPs require that the information is held reasonably secure and disclosure to others is made subject to IPP 11.

• The Privacy Act, in its application to the private sector, as well as the various state and territory data protection acts, do address the transfer of personal data outside of Australia.


Trans-border Data Protection in Australia

A private sector organisations in Australia or governed by Australia may transfer personal information about an individual to someone (other than the organisation or individual) who is in a foreign country only if:

a) the organisation reasonably believes that the law in the country of the recipient of the information upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles; or

b) the data subject consents to the transfer; or

c) the transfer is necessary for the performance or conclusion of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken at the individual’s request; or

d) the transfer is for the benefit of the individual, it is impracticable to obtain the consent of the individual to that transfer; and it is likely that the consent would be forthcoming if it had been possible to obtain it; or

e) the organisation has taken reasonable steps to ensure that the information will be held, used or disclosed by the recipient of the information in accordance with the National Privacy Principles.


Data Protection in India

• Currently no specific data protection legislation has been enacted, however, a Personal Data Protection Bill was drafted in 2006. It has not progressed.

• Indian companies are increasingly agreeing to submit themselves to the exclusive jurisdiction of the customer’s national courts which makes the customer’s national laws binding on a contracting Indian company.

• Under the Indian Contract Act 1872, Indian companies are able to provide contractual solutions to issues of data protection.

• Chapter VI of the Credit Information Companies (Regulation) Act 2005 has regulations that provide for privacy principles on the accuracy, security, secrecy and adequacy of credit information.

• Also, in 2006, the Indian Government proposed changes to the Information Technology Act 2000. These changes would impose fines on businesses and individuals for leaking personal information or failing to prevent data theft.


Data Protection in the Philippines

• Currently has no data protection legislation, however, a Government Data Privacy Protection Act is being considered by the Philippines’ Parliament.

• In 2006, the Philippines government issued ‘Administrative Order 8’ which contained Prescribing Guidelines for the Protection of Personal Data in Information and Communications System in the Private Sector.

• These guidelines managed by the Department of Trade and Industry apply to the processing of all personal data, whether of local origin or from overseas.

• The guidelines are also intended to encourage and support private entities in the adoption of privacy policies.


Current Situation for Australian Organisations

• Using contract law to obtain the consent of consumers to allow the transfer of personal information outside of Australia.

• Ensuring that personal information is protected through contractual arrangements with their trading partners.

• However, there are concerns amongst businesses about the practicality and costs associated with monitoring the compliance of their trading partners.


Typical Contracts

• A typical data protection agreement sets out the terms by which an overseas organisation agrees to handle personal customer information acquired from an Australian private sector organisation.

• The agreement clearly sets out the receiver's rights and obligations in using a customer’s personal information.

• The receiver must comply with the applicable data protection laws of the stated jurisdiction, which is Australia. The national privacy principles in the Australian Privacy Act are attached to the agreement.

• The receiver must also keep the personal information confidential and secure, correct information at the customer’s request and assist with any proceedings in relation to unauthorised use of the personal information.


Typical Contracts

• In most cases, the agreement requires the employees of receivers to provide undertakings that they understand and will comply with the terms of the deed.

• The receiver is required to keep adequate records and conduct audits that show that it is complying with the terms of the agreement and the Privacy Act.

• It must also agree to indemnify the customer for any breach of deed obligations.

• Generally, at the end of the contract period, the receiver must return, destroy or de – identify the relevant personal information and provide a statement that it has done so.


Australian Law Reform Commissions Recommendations – National Privacy Principle 9

As a result of the 2006-2008 Privacy Act Review, in terms of trans-border data protection, the ALRC recommends:

• That the trans-border data flow guidelines in NPP 9 be extended to apply to federal government agencies as well as the private sector.

• To ensure that the transfer of personal data is in the interests of and for the benefit of the individual, the transferring organisation will have to demonstrate more than merely stating that the reason for the transfer is organisational efficiency.

• NPP 9 needs to be amended so that organisations must take reasonable care to ensure personal data will be handled consistently with Australian data protection law before the data is transferred.


Australian Law Reform Commissions Recommendations – National Privacy Principle 9

• Privacy policies should state whether personal information may be transferred out of Australia.

• Also a list of those jurisdictions which are considered to have similar data protection legislation to Australia will need to be developed to assist businesses as will guidelines about the issues that should be addressed by a business as part of a contractual agreement with an overseas recipient of personal information


Implications of the Recommendations

• Public sector agencies or organisations may need to make procedural changes to the way personal information is collected, held or handled.

• The agency or organisation that transfers personal information outside of Australia will be liable for any breaches of the new Unified Privacy Principle 11 (formerly NPP 9) by the third party receiving the information except if:

– The information is subject to a law, scheme or contract which is effectively identical to the UPPs.

– The individual consents to the transfer after being expressly advised that the agency or organisation will not be accountable for the personal information once it is transferred

– The agency or organisation is required or authorised by the law to transfer the personal information

•


Implications of the Recommendations

• Both public sector agencies and private sector organisations will need to amend their privacy policies.

• If an organisation transfers personal information to a related body corporate outside of Australia, the transfer will be subject to the new Unified Privacy Principle 11.


Options for India and the Philippines

• Introduce data protection law applying to residents and to outsourced data.

• Adopt model contact clauses developed specifically for the outsourcing industry in each country.

– The European Commission, the Council of Europe, the International Chamber of Commerce and the Hong Kong Privacy Commissioner have issued model contracts that cover the transfer of personal data to countries with inadequate data protection legislation

• Adopt a Safe Harbor Framework, similar to the framework in place between the EU and the US.

– The framework should have a governing body that is able to accredit, certify, monitor and enforce the agreed data protection principles framework.

– It could be an a Trustmark scheme similar to those operating in Japan, the US and Singapore. The ALRC notes that such schemes can provide accreditation, investigate breaches, advise consumers and organisations about obligations and rights and can provide dispute resolutions

Documents

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly