New changes to Privacy Act leads to increased transparency on data flows… and maybe varying interpretations as to how the APPs and Guidelines operate

March 13, 2014 |

The amendments to the Privacy Act are one day old but the changes are already becoming apparent.  At least in terms of disclosure of where data sent offshore is going.  That is an obligation under the Australian Privacy Principles (the APPs), in particulars APP 1 and 8.

Itnews in Aussie blue-chips reveal extent of data offshoring has done a quick review based on disclosures to date.  It is an excellent article.  The United States leads the pack in terms of destination of data followed by United Kingdom, India and Phillipines (no doubt call centre and support service oriented). New Zealan , Singapore and Chine.  The piece also shows how companies are interpreting the requirements set out in the APPs regarding disclosure with Coles being on the open side while Westfield and Holden being more opaque.  Clearly this is a matter requiring consideration by the Privacy Commissioner in the short to medium term.  If organisations and agencies feel that there is scope to adopt either a more or less expansive approach to disclosure then this lack of consistency undermines the operation of the APPs.  The Guidelines to the APPs, and sometimes the APPs themselves, are drawn sufficiently broadly to at least work within reasonably broad parameters.  Press reportage of this nature is not good in bedding down the operation of the new amendments.

It may be that ultimately the Federal Court will need to interpret what APP 1 and APP 8 means regarding disclosure of offshore transfer of data.

The article provides:

Analysis: Who sends stuff where?

 Australia’s big four banks, airlines, telcos and retail giants have been forced to disclose how and where they offshore data in order to satisfy new privacy rules that came into effect overnight.

A survey by iTnews of the revised privacy policies of some of Australia’s blue-chip companies reveals the most common locations to send data offshore, the IT-related reasons for doing it, and the safeguards large organisations have in place to prevent things going awry.

The United States is the most common location for overseas data disclosure, followed by the United Kingdom, India, The Philippines, New Zealand, Singapore and China. In all, over 30 countries are disclosed as recipients of Australians’ personal data.

Though some brands, such as retail giant Coles, have already suffered a backlash over its permissible locations to share data, other companies were far less transparent.

For example, Westfield and Holden simply list entire geographic regions or continents, rather than specific countries. Holden indicates that it “may” disclose data to virtually any country worldwide, by virtue of its extensive geographic list.

So what do Australia’s largest organisations do with your data?


Telstra’s privacy statement tells customers that it may disclose data to third parties that supply it with IT and network services, as well as to other telcos with which it did business.

Challenger brand iiNet tells customers that it may make offshore data disclosures to professional services firms working in “software development, systems and technical support, data storage, marketing and product development”.

Optus tells customers that data might find its way to outsourcers or to companies whose products Optus rebadges.

“These overseas companies are involved in providing services like data storage and customer and technical support,” the telco notes in its Privacy Policy.

Vodafone Australia discloses that it “may store or sometimes disclose personal information to entities outside Australia, including… Vodafone’s data hosting and other IT service providers” and to other Vodafone Group companies.

NBN Co, which only built its IT systems in recent years, notes that it has “contracted service providers in countries such as the USA and India, to whom NBN Co discloses personal information.”


Coles lists 23 countries where it shares data with third parties. Rival Woolworths indicates a variety of reasons why it might want to disclose data overseas, but provides only some examples of countries in which it does so.

One reason Woolworths states is where it has “made a business decision to store our data with a trusted service provider who is in the business of providing data storage and processing services”.

The retailer also notes that a “reinsurer of some of our insurance offerings uses computer systems in Switzerland and the United States to store insurance-related personal information”.

Westfield said it stored personal information either in its own computer systems or in a database, where it could then be “transmitted over the Internet” in an encrypted fashion, or “transferred across borders to recipients in foreign countries”.

David Jones provides detailed disclosure on the countries it sends data to, and for what purpose. These include to the US for database management, the UK for order management, and New Zealand for payment processing.

Myer doesn’t provide quite as detailed disclosure, though it notes that cross-border disclosure of data may be required when “storing data via a cloud service, or where Myer’s customer relationship management system is hosted on servers located overseas”.


The Commonwealth Bank listed IT support providers among a long list of third parties it might want to disclose data to. ANZ and Westpac also briefly listed technology service providers.

Of the big four, NAB was perhaps most prescriptive, although it’s list of countries to which data disclosures might be made wasn’t definitive.

“We may store your information in cloud or other types of networked or electronic storage,” NAB said. “As electronic or networked storage can be accessed from various countries via an internet connection, it’s not always practicable to know in which country your information may be held.”


Qantas tells customers the types of offshore third parties that might receive data were “data processors (including operators of global travel distribution systems), customer service providers and managers of our financial products located overseas”.

Virgin Australia indicated that “some” of its technology, operational and customer service providers are also located overseas. “For example, we have a call centre in The Philippines and we use cloud service providers,” the telco noted.

Tiger Airways disclosed that its “data storage and processing suppliers are based in Singapore.”


Toyota Australia and Holden both said that IT service providers were one possible recipient of customer data. Ford listed several countries where disclosures might occur, but Honda Australia’s policy did not specify overseas uses for data.

Leave a Reply

Verified by MonsterInsights