Darshak Shah
Darshak is Evource Co-Founder and an Australian CPA, who has experience of working in over 8 different industries including with employers like NAB & Cancer Council. He has a great eye for process streamlining, improvement, change management, and transitions.
The advancing digital age means there is an increasingly rapid ability to easily share and spread information. Australia, like many other countries, have therefore had to make some changes to their Privacy laws. Many of these changes are still in progress, and more are sure to come. Whenever new privacy laws come in there can understandably be some confusion about what this means. The great news is that even with all the changes, you continue to reap the benefits of outsourcing.
While the new privacy laws do potentially impact your outsourcing arrangements, this isn’t necessarily a bad thing. New processes and potentially added costs can be a pain, however, they ultimately mean that your data, and the privacy of your customers, is more secure. New privacy laws are just a sign of regulations catching up with the times.
AUSTRALIAN PRIVACY PRINCIPLES (APP)
The Australian Privacy Principles provides valuable information on how to handle, use, and manage personal information. These were last updated in March 2018 to provide more stringent requirements on handling sensitive information. They include mandatory as well as best practice guidelines.
CROSS-BORDER INFORMATION DISCLOSURE
The legislation specifically relating to disclosure of information overseas was last updated back in 2015. This legislation covers the requirement to ensure that the overseas recipient of the personal information is not breaching the APPs, and when the Australian entity may be held responsible for such a breach.
THE DATA BREACHES AMENDMENT
Perhaps the biggest change to the Australian Privacy Act was implemented on February 22nd, 2018, as the Notifiable Data Breaches amendment. Businesses covered by the Privacy Act are now required to report data breaches that result in harm, and they are required to have a data breach plan in place to reduce the impact of any data breach.
A good outsourcing firm will already have a data breach plan, and procedures in place to mitigate the risk of any data breach. Regular reviews, training, monitoring, data encryption, protective software updates, and preparation are all important parts of data protection protocols.
It is both your responsibility and the responsibility of your outsourcing provider to have these procedures in place. The Office of the Australian Information Commissioner (OAIC) has provided a useful flowchart to respond to a data breach:
OTHER COUNTRIES
Outside of Australia, the European General Data Protection Regulation (GDPR) was introduced in May 2018. This is a major change in data privacy regulation. Basically it entails more comprehensive data-processing agreements between business. Key differences include the GDPR’s requirements around appointing a data protection officer, the right to data portability and an individual’s right to be forgotten.
Many Asian countries have introduced cybersecurity laws over the past few years, while others are still in the process of drafting new privacy laws. Some of these now even include criminal sanctions for data breaches. The US has also introduced the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
Your outsourcing provider should keep you apprised of any particular responsibilities for the country you are working with.
WHAT TO KEEP IN MIND
- There can be serious penalties if there is a failure to comply with privacy laws. Ensure that you have an understanding of your own requirements so that you can be confident in your decisions.
- Utilise the Australian Privacy Principles to guide best business practice as well as meeting mandatory requirements.
- You can potentially be held accountable for a privacy breach that occurs with an overseas provider. Ask your outsourcing provider how they obtain, handle, store, and transfer customer data to ensure that you are covered.
- There is a higher obligation than ever to be transparent in any dealings pertaining to data and the acquisition of personal information. Ensure that you are confident in the transparency under which your provider operates.
- Having high standard outsourcing agreements, consents, and means of data collection and storage will mitigate the risk of a data breach and help fulfill your obligations. A solid contract with strict data storage requirements is essential.
- Your data breach plan must incorporate a clear line of communication with your outsourcing provider and provide an understanding of who is responsible for what actions.
USE A TRUSTED BUSINESS PROCESSES OUTSOURCING PROVIDER
All these regulatory changes, and there will always be more, mean that your outsourcing provider does need to ensure that they are always keeping up to date.
By selecting a quality business processing outsourcing provider, such as Evource, you will be able to continue taking advantage of the benefits of outsourcing, while ensuring that you are complying with privacy laws, and protecting both yourself and your customers.