Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfer affects all organizations that engage online IT services, cloud-based services, remote access services and global HR databases.
Data transfers are allowed for employment-related personal data in Australia, including employee records (such as: terms and conditions of employment; training, disciplining and resignation; personal and emergency contact details; performance and conduct; taxation, banking and superannuation affairs; remuneration; leave; or, trade union membership). That said, the transfer is subject to certain third-party transfer requirements. Employee consent is needed to transfer employee data outside Australia to third parties (e.g. third-party HRIS, parent corporation, etc.). The local entity remains responsible for any data processed outside of the country.
Under the Privacy Act, entities are expected to take reasonable steps to ensure personal data processed overseas is protected (Chapter 8: APP 8, 2015). Employers can meet the data protection obligation through due diligence measures and contractual provisions. There are some very limited exceptions to the entity’s accountability (e.g. an individual providing fully informed consent after being told the entity will not take steps to protect their personal information processed overseas).
Restrictions apply when transferring Personally Identifiable Information (PII) out of the State or Territory where health information is regulated. Exceptions to this include:
- consent of the individual;
- concluding a contract in the interest of the individuals;
- transferring the PII to a jurisdiction that provides equivalent policy protections to personal data.
HR Best Practices: When transferring data outside of Australia, take all reasonable steps to ensure the overseas data recipient meets the requirements outlined in Australia’s Privacy Principles. Enter into enforceable, contractual agreements with the data recipient and perform due diligence measures before transferring any PII.