• Specific Year
    Any

PRIVACY PROTECTION FOR OFF-SHORING BILL 2007

This is a Bill, not an Act. For current law, see the Acts databases.


PRIVACY PROTECTION FOR OFF-SHORING BILL 2007

2004-2005-2006-2007



The Parliament of the

Commonwealth of Australia



HOUSE OF REPRESENTATIVES



Presented and read a first time





Privacy Protection for Off-shoring Bill 2007



No. , 2007



(Ms Burke)

A Bill for an Act to amend the Financial Management and Accountability Act 1997 and the Trade Practices Act 1974, to regulate the transmission of personally identifiable information for processing outside Australia, and for related purposes







Privacy Protection for Off-shoring Bill 2007 No. , 2007



Privacy Protection for Off-shoring Bill 2007 No. , 2007

Contents

 

1 Short title 1

 

2 Commencement 2

 

3 Schedule(s) 2

Schedule 1--Amendments 3

Financial Management and Accountability Act 1997 3

Trade Practices Act 1974 4









Amendments Schedule 1







Privacy Protection for Off-shoring Bill 2007 No. , 2007



Privacy Protection for Off-shoring Bill 2007 No. , 2007



Privacy Protection for Off-shoring Bill 2007 No. , 2007

A Bill for an Act to amend the Financial Management and Accountability Act 1997 and the Trade Practices Act 1974, to regulate the transmission of personally identifiable information for processing outside Australia, and for related purposes

The Parliament of Australia enacts:

 

1 Short title

This Act may be cited as the Privacy Protection for Off-shoring Act 2007.

 

2 Commencement

This Act commences on the day on which it receives the Royal Assent.

 

3 Schedule(s)

Each Act that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.



Schedule 1--Amendments

Financial Management and Accountability Act 1997

 

1 After Part 6

Insert:

Part 6A--Requirements for Commonwealth contracts

 

43A Principles applying to Commonwealth contracts

This section requires an agency entering into a Commonwealth contract for the provision of services in Australia, to take contractual measures to ensure that a contracted service provider for the contract cannot undertake work in relation to the contract, of a kind that would involve use of personally identifiable information, in a country other than Australia.

The agency must ensure that the Commonwealth contract does not authorise a contracted service provider for a contract for the provision of services in Australia, to undertake work in relation to the contract, of a kind that would involve use of personally identifiable information, in a country other than Australia.

The agency must also ensure that the Commonwealth contract contains provisions to ensure that the undertaking of work in relation to the contract, of a kind that would involve use of personally identifiable information, in a country other than Australia, is not authorised by a subcontract.

For the purposes of this section:

agency has the meaning set out in section 6 of the Privacy Act 1988.

personally identifiable information has the meaning set out in section 65AAAB of the Trade Practices Act 1974.

subcontract has the meaning set out in section 95D of the Privacy Act 1988.

    (5) This section applies whether the agency is entering into the Commonwealth contract on behalf of the Commonwealth or in the agency's own right.

Trade Practices Act 1974

 

2 After Division 1 of Part V

Insert:

Division 1AAAA - Disclosure of personally identifiable information outside Australia

 

65AAAA Overview

This Division sets out what is meant by the disclosure of personally identifiable information outside Australia. A corporation is prohibited from engaging in certain conduct in relation to disclosure of personally identifiable information outside Australia (see sections 65AAAC and 75AZRA).

 

65AAAB Definitions

In this Division:

Affiliate means any company that controls, is controlled by, or is under common control with another company

Consumer means an individual who obtains from a corporation products or services which are to be used primarily for personal, family or household purposes, and also means the legal representative of such an individual

Nonaffiliated third party means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the corporation, but does not include a joint employee of such corporation

Personally identifiable information means information including:

        (a)   Name

        (b)   Postal address

        (c)   Financial information

        (d)   Medical records

        (e)   Date of birth

        (f)   Phone number

        (g)   E-mail address

        (h)   Medicare number

        (i)   Mother's maiden name

        (j)   Driver's licence number;

        (k)   Tax file number.

 

65AAAC Transmission of information

A corporation may not disclose personally identifiable information relating to a consumer to any branch, affiliate, subcontractor, or unaffiliated third party located in a country other than Australia, unless:

        (a)   the corporation provides the notice of privacy protection set out in section 65AAAD;

        (b)   the consumer is given the opportunity, before the time that such information is initially disclosed, to object to the disclosure of such information to such branch, affiliate, subcontractor, or unaffiliated third party located in a country other than Australia; and

        (c)   the consumer is given an explanation of how the consumer can exercise the nondisclosure option set out in paragraph (b).

 

65AAAD Notice requirements

If a corporation transmits personally identifiable information to entities for processing outside Australia, at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a corporation must provide a clear and conspicuous disclosure to such consumer in writing or in electronic form of the corporation's policies and practices with respect to the transmission of personally identifiable information, consistent with subsection (2).

The disclosure required by subsection (1) must include:

information informing the consumer in simple language:

        (i)   that the corporation transmits personally identifiable information to entities for processing outside Australia;

        (ii)   of the privacy laws of the country to which personally identifiable information will be sent;

(iii) of any additional risks and consequences to the privacy and security of an individual's personally identifiable information that may arise as a result of the processing of such information outside Australia; and

        (iv)   of any additional measures the corporation is taking to protect the personally identifiable information transmitted for processing outside Australia; and

a certification that:

        (i)   the corporation has taken reasonable steps to identify the locations where personally identifiable information is transmitted by such entities;

        (ii)   attests to the privacy and security of the personally identifiable information transmitted for processing outside Australia; and

(iii) states the reasons for the determination by the corporation that the privacy and security of such information is maintained.

 

65AAAE Effect on Business Relationship

A corporation must not discriminate against a consumer because the consumer has objected to the disclosure under paragraph 65AAAC(b).

 

3 After section 75AZR

Insert:

 

75AZRA Disclosure of personally identifiable information outside Australia

    (1) A corporation must not transmit personally identifiable information for processing outside Australia other than in accordance with section 65AAAC.

Penalty: 2,000 penalty units.

Note 1: The penalty specified above is the maximum penalty that may be imposed on a corporation: subsection 4B(3) of the Crimes Act 1914 does not apply.

    (2) Subsection (1) is an offence of strict liability.

Note 1: Chapter 2 of the Criminal Code sets out the general principles of criminal responsibility.

Note 2: For strict liability, see section 6.1 of the Criminal Code.