2008-2009 The Parliament of the Commonwealth of Australia THE SENATE Presented and read a first time Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 (Senator Fielding) A Bill for an Act to protect jobs in Australia by preventing the transfer of personal information to other countries without consent, and for related purposes [Page Break] Part 1--Preliminary 1 1 Short title ........................................................................................... 1 2 Commencement ................................................................................. 2 3 Objects ............................................................................................... 2 4 Interpretation of this Act .................................................................... 2 Part 2--Consent to transfer personal information 5 5 Consent requirements for the transfer of personal information ........................................................................................ 5 6 Countries certified as having adequate protection ............................. 5 7 Countries not certified as having adequate protection ....................... 5 8 Consent decision not to affect business relationship.......................... 6 9 Certification of privacy protections ................................................... 6 Part 3--Call centre disclosure requirements 7 10 Call centre disclosure requirements ................................................... 7 11 Foreign call centre ............................................................................. 7 Part 4--Interaction with Privacy Law 8 12 Interaction with Privacy Law ............................................................. 8 13 Interference with privacy ................................................................... 8 Part 5--Interaction with Trade Practices Law 9 14 Interaction with Trade Practices Law ................................................ 9 15 Intentional breach of consent condition ............................................. 9 Part 6--Miscellaneous 10 16 Regulations ...................................................................................... 10 i Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 [Page Break] 2 preventing the transfer of personal information to 3 other countries without consent, and for related 4 purposes 5 The Parliament of Australia enacts: 6 Part 1--Preliminary 7 8 1 Short title 9 This Act may be cited as the Keeping Jobs from Going Offshore 10 (Protection of Personal Information) Act 2009. Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 1 [Page Break] Section 2 1 2 Commencement 2 This Act commences on the day after it receives the Royal Assent. 3 3 Objects 4 The objects of this Act are: 5 (a) to ensure that personal information held by businesses in 6 Australia is not transferred overseas without the informed 7 consent of the individual to whom the information relates; 8 and 9 (b) to protect employment in Australia by reducing the 10 outsourcing of customer service and call centre jobs overseas. 11 4 Interpretation of this Act 12 (1) In this Act: 13 interference with the privacy of an individual has the meaning 14 given by the Privacy Act, affected by section 13 of this Act. 15 mandatory industry code has the meaning given by the Trade 16 Practices Act, affected by section 15 of this Act. 17 organisation has the meaning given by section 6C of the Privacy 18 Act. 19 personal information has the meaning given by section 6 of the 20 Privacy Act, affected by subsection (2). 21 Privacy Act means the Privacy Act 1988. 22 Privacy Law includes: 23 (a) the Privacy Act; 24 (b) the Information Privacy Principles and National Privacy 25 Principles set out in that Act; 26 (c) any approved privacy code, Code of Conduct or industry 27 standard agreed, made or authorised under that Act; 2 Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 [Page Break] Section 4 1 (d) any guidelines or regulations made under that Act. 2 telecommunications network has the meaning given by section 7 3 of the Telecommunications Act 1997. 4 telemarketing call has the meaning given by section 5 of the Do 5 Not Call Register Act 2006. 6 Trade Practices Act means the Trade Practices Act 1974. 7 Trade Practices Law includes: 8 (a) the Trade Practices Act; 9 (b) any industry code made or authorised under that Act; 10 (c) any guidelines made under that Act; 11 (d) any regulations made under that Act. 12 transfer, in relation to personal information, means communicate, 13 send, trade or republish that information by any means whatsoever, 14 including by transmitting the information over a 15 telecommunications network from a source located in Australia or 16 an external Territory so that it can be accessed by a person in a 17 foreign location. 18 voice call has the meaning given by section 4 of the Do Not Call 19 Register Act 2006. 20 (2) Personal information held by an organisation in relation to an 21 individual includes, but is not restricted to: 22 (a) personal identifiers, including: 23 (i) any name by which the individual is or has been known, 24 including any family name; 25 (ii) date of birth; 26 (iii) mother's maiden name; 27 (b) secondary identifiers, including: 28 (i) street address, postal address or post-office box number; 29 (ii) phone number; 30 (iii) e-mail address; 31 (iv) driver's licence number; 32 (v) tax file number; Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 3 [Page Break] Section 4 1 (vi) medicare number; 2 (c) any identifying information allocated by an organisation, or 3 by any third party, including any customer identification 4 number or code; 5 (d) financial information, including: 6 (i) credit card details; 7 (ii) bank account details; 8 (iii) details of any financial transaction; 9 (e) medical records; 10 (f) passwords; 11 (g) any information relating to any business transaction between 12 the individual and the organisation or any third party. 13 (3) Unless the contrary intention appears, any other term used in this 14 Act which is defined in the Privacy Act 1988 has the meaning 15 given in that Act. 4 Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 [Page Break] Section 5 1 Part 2--Consent to transfer personal information 2 3 5 Consent requirements for the transfer of personal information 4 (1) An organisation in Australia or an external Territory (the 5 transferring organisation) must not transfer personal information 6 about an individual to an organisation in a foreign country (the 7 receiving organisation) unless the requirements of this Part have 8 been met. 9 (2) To avoid doubt, subsection (1) applies in each of the following 10 cases: 11 (a) where there is no connection between the two organisations; 12 (b) where the receiving organisation is a part, however 13 described, of the transferring organisation; 14 (c) where the receiving organisation is an associated entity, or a 15 part of an associated entity, of the transferring organisation; 16 (d) where the receiving organisation is performing any function 17 under contract to the transferring organisation. 18 (3) To avoid doubt, the requirements of this Part apply in addition to 19 the requirements of National Privacy Principle 9. 20 6 Countries certified as having adequate protection 21 If the receiving organisation is located in a country that is certified 22 as having adequate privacy protections, the transferring 23 organisation may transfer personal information about an individual 24 to the receiving organisation only if: 25 (a) the transferring organisation has informed the individual of 26 the intention to transfer personal information; and 27 (b) the individual has not objected to the transfer. 28 7 Countries not certified as having adequate protection 29 If the receiving organisation is located in a country that is not 30 certified as having adequate privacy protections, the transferring Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 5 [Page Break] Section 8 1 organisation may transfer personal information about an individual 2 to the receiving organisation only if: 3 (a) the transferring organisation has specifically informed the 4 individual, in writing, of: 5 (i) the intention to transfer information to a country that is 6 not certified as having adequate privacy protections; and 7 (ii) the content of the information proposed to be 8 transferred; and 9 (iii) the purpose of transferring the information; and 10 (iv) the identity of the receiving organisation or 11 organisations; and 12 (b) the individual has consented to the transfer, in writing, not 13 more than 12 months prior to the transfer of the information. 14 8 Consent decision not to affect business relationship 15 An organisation must not: 16 (a) deny the provision of goods or services to an individual; or 17 (b) change the terms of a business relationship with an 18 individual; or 19 (c) refuse to enter into a business relationship with an individual; 20 based upon that individual's decision whether or not to consent to 21 the transfer of personal information under this Act. 22 9 Certification of privacy protections 23 (1) The Minister may certify that a country has adequate privacy 24 protections, if the Minister is satisfied that the law of the country 25 effectively upholds principles for the fair handling of information 26 that are substantially similar to the National Privacy Principles. 27 (2) In determining whether to certify a country in accordance with 28 subsection (1), the Minister may seek the advice of the Office of 29 the Privacy Commissioner. 30 (3) The Minister must, from time to time, publish a list of the countries 31 that have been certified in accordance with subsection (1). 6 Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 [Page Break] Section 10 1 Part 3--Call centre disclosure requirements 2 3 10 Call centre disclosure requirements 4 (1) If a person makes a voice call to an organisation, and that call is 5 answered by, or transferred to, a foreign call centre, the person 6 responding to the call must identify the city and country in which 7 the call centre is located. 8 (2) If a person receives a telemarketing call from or on behalf of an 9 organisation, which originates from a foreign call centre, the 10 person initiating the call must identify the city and country in 11 which the call centre is located. 12 (3) For the purposes of this section, a voice call to any telephone 13 number related to, or advertised in any medium as being related to, 14 an organisation is a voice call to that organisation, unless the 15 contrary is proved 16 11 Foreign call centre 17 For the purposes of this Part an organisation is a foreign call 18 centre for another organisation if, 19 (a) the first organisation makes, receives or deals with voice 20 calls for or on behalf of the second organisation; and 21 (b) the first organisation meets the definition of receiving 22 organisation in relation to the second organisation for the 23 purposes of section 5. Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 7 [Page Break] Section 12 1 Part 4--Interaction with Privacy Law 2 3 12 Interaction with Privacy Law 4 (1) This Act is intended to supplement the Privacy Law to enhance the 5 protection afforded personal information, particularly in relation to 6 transborder data flows. 7 (2) Nothing in this Act removes or reduces any obligation placed on 8 any individual or organisation by the Privacy Law. 9 13 Interference with privacy 10 (1) For the purposes of the Privacy Law, an act or practice that effects 11 a transfer of personal information about an individual in 12 contravention of section 5 is an interference with the privacy of 13 the individual. 14 (2) An act or practice that may be an interference with the privacy of 15 an individual because of this section may be dealt with in 16 accordance with Parts V and VI of the Privacy Act. 17 Note: Parts V and VI of the Privacy Act deal with complaints; investigations 18 by the Privacy Commissioner and others; determinations, including 19 entitlement to compensation; and enforcement. 8 Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 [Page Break] Section 14 1 Part 5--Interaction with Trade Practices Law 2 3 14 Interaction with Trade Practices Law 4 (1) This Act is intended to supplement the Trade Practices Law to 5 enhance consumer protection in relation to the fair handling of 6 personal information. 7 (2) Nothing in this Act removes or reduces any obligation placed on 8 any individual or organisation by the Trade Practices Law. 9 15 Intentional breach of consent condition 10 (1) For the purposes of the Trade Practices Law, an organisation that: 11 (a) intentionally effects a transfer of personal information about 12 an individual in contravention of section 5; or 13 (b) takes any action in contravention of section 8; or 14 (c) fails to make a disclosure required by section 10; 15 is taken to have contravened a mandatory industry code. 16 (2) An organisation that is taken to have contravened a mandatory 17 industry code because of this section may be dealt with in 18 accordance with Part VI of the Trade Practices Act. 19 Note: Part VI of the Trade Practices Act deals with enforcement and 20 remedies. 21 (3) This section has effect only in relation to organisations which are 22 corporations within the meaning of section 4 of the Trade Practices 23 Act. Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009 9 [Page Break] Section 16 1 Part 6--Miscellaneous 2 3 16 Regulations 4 The Governor-General may make regulations prescribing matters: 5 (a) required or permitted by this Act to be prescribed; or 6 (b) necessary or convenient to be prescribed for carrying out or 7 giving effect to this Act. 10 Keeping Jobs from Going Offshore (Protection of Personal Information) Bill 2009 No. , 2009