What do Australian privacy and health information laws say about disclosing personal information overseas?
APP 8.1 says that before you disclose personal information about an individual overseas, you must take reasonable steps to ensure that the recipient does not breach the Australian Privacy Principles (APPs) in relation to that information.
This means that when you enter personal client information into Kalix (with servers in the United States of America), The Australian Privacy Principle 8 — cross-border disclosure of personal information (APP 8) will apply.
Health information/records legislation and principles (Health Info Laws) in Australian States and Territories may also apply to this disclosure for health and sensitive information. Please refer to the applicable legislation or principles for your state or territory.
Are there exceptions to APP 8?
Yes. You can bypass compliance with APP 8.1 (but still remain compliant for transborder data flows) if you:
1. expressly inform an individual that if they consent to the disclosure, APP 8.1 will not apply; and
2. the individual then consents to the disclosure.
How do you “expressly inform” someone?
You should provide the individual with a privacy statement (or privacy consent) that explains the potential consequences of providing consent.
You have the option to inform someone verbally (and get consent verbally), but best practice recommends that you record this in writing.
The Office of the Australian Information Commissioner suggests that at a minimum, a privacy statement should explain that if the individual consents to the disclosure and the overseas recipient handles the personal information in breach of the APPs:
• the entity will not be accountable under the Privacy Act; and
• the individual will not be able to seek redress under the Privacy Act.
For example, the statement or consent could say:
You acknowledge that:
(a) we use Kalix, a modern cloud-based practice management software, with Microsoft Azure servers located in the United States of America;
(b) any personal, sensitive or health information relating to you (protected information) may not be subject to the same privacy obligations, principles or standards as in Australia or any other country; and
(c) you will not be able to seek redress under the Privacy Act 1988 (Cth) or any other act relating to sensitive or health information in Australia (or a State or Territory of Australia);
(d) you may not be able to seek redress in the USA;
(e) server operators in the USA could be subject to laws (such as the PATRIOT Act) that compels disclosure of protected information.
You agree and consent to us:
(a) storing protected information on those servers in the United States of America; and
(b) transferring protected information to those servers (whether or not via Kalix).
This is a standing consent that applies to multiple disclosures in respect of our services provided to you as your allied health professional and in respect of our use of Kalix as part our practice management (including to store and manage your records, to make appointments and to issue bills).
The content here is intended only to provide a summary and general overview on matters of interest as at 30/11/2013.
It is neither intended to be comprehensive, nor to constitute legal advice.
You should always obtain legal or other professional advice, appropriate to your own circumstances, before acting or relying on any content here.
We may expand or amend this content from time to time by updating this section or by posting on our website or knowledge base.