The Private Practice Summer 2013/14 Page 28

theprivatepractice.com.au

The principle gives organisations long-

term responsibility for personal information
sent overseas. It stipulates that, prior to
disclosing personal information to an
overseas recipient, the organisation must take
reasonable steps to ensure the recipient does
not breach APPs 2 to 13 in respect of that
information.

The exceptions to this principle include

where the organisation reasonably believes
the recipient is subject to a law or binding
scheme that has the effect of protecting the
information in a substantially similar way to
that of the APPs; and where the individual
provides his or her consent for the disclosure,
after the organisation expressly states the
principle will not apply if that consent is given.

These reforms are of particular concern to

health organisations and practices which use
offshore data storage or processing entities,
or otherwise disclose personal information
to overseas recipients as, under the new
regime, unless an offshore entity is bound
by Australian privacy laws, the Australian
organisation will be liable for any breaches by
the offshore entity.

The liability is a strict one, and applies

even after any relevant contract or agreement
between the Australian organisation and
offshore entity is terminated, however that
termination is caused.

· APP 9 Adoption, use or disclosure
of government-related identifiers
APP 9 prohibits an organisation from
adopting, using or disclosing a government-
related identifier of an individual, unless an
exception applies.

· APP 10 Quality of personal information
Under APP 10, an organisation must take
reasonable steps to ensure the personal
information it collects is accurate, current
and complete.

In relation to use and disclosure,

the requirements differ from the current

principles. For uses and disclosures, the
personal information must be relevant, as
well as accurate, current and complete, having
regard to the purpose of the use or disclosure.

· APP 11 Security of personal information
APP 11 requires an organisation to take
reasonable steps to protect the personal
information which it holds from interference,
as well as from misuse, loss, unauthorised
access, modification and disclosure as required
by the current principles.

Like NPP 4.2, APP 11 requires an

organisation to take reasonable steps to
destroy or de-identify personal information
if the organisation no longer needs it for any
authorised purpose.

There are two exceptions to this

requirement: where the personal information
is contained in a Commonwealth record, or
where the organisation is required to retain
the information by or under an Australian law
or order by an Australian court or tribunal.

· APP 12 Access to personal information
APP 12 requires an organisation to give an
individual access to personal information
the organisation holds about that
individual, unless an exception applies.
The exceptions are substantially similar to
the exceptions in NPP 6.

Organisations are required to respond to

requests for access within a reasonable period,
and must also give access in the manner as
requested by the individual if it is reasonable
to do so. If an organisation decides not to give
to an individual access to the information,
generally it must provide to the individual
written reasons for the refusal and the
available avenues open for any complaint
about the refusal.

If an organisation provides a financial

charge for providing to the individual access
to the individual's personal information, the
charge must not be excessive or apply to the
making of the request.