The Clerk:

A ministerial response to a petition previously presented to the House has been received as follows:

Dear Mr Harris

I refer to your letter dated 5 December 2006 which provided me with a copy of the petition lodged by Mr JP Murphy MP in the House of Representatives on 4 December 2006. In accordance with standing order No. 212(b), I lodge the following written response in answer to the petition.

Many modem businesses operate internationally necessitating the movement of information across national boundaries. It is common banking practice to perform certain back-office and IT operations overseas. Overseas service providers require access to the data needed for that service. It is important therefore that Australia has mechanisms in place to protect personal data when it is transferred off shore.

In Australia, regulation under the Privacy Act 1988 plays an important part in ensuring that businesses have effective practices to ensure that a customer’s personal information is protected both in Australia and overseas. The National Privacy Principles (NPPs) in the Privacy Act impose privacy obligations on the private sector, including banks and financial institutions. The NPPs were designed to balance an individual’s right to privacy with the legitimate use of their personal information by the private sector. The NPPs extend to certain acts and practices that private sector organisations undertake outside Australia. The Act is designed to ensure that an organisation does not avoid its NPP obligations simply by moving personal information overseas.

NPP 4 requires an organisation to take reasonable steps to protect the personal information it holds, including protecting the personal information from misuse. NPP 9 only permits the transfer of personal information of Australians to foreign countries in limited situations. The transfer can occur only where:

• the Australian company reasonably believes that the foreign company is subject to a law, binding scheme or contract that effectively imposes principles substantially similar to the NPPs
• the individual consents to the transfer, or
• it is necessary for the performance of a contract between the individual and the Australian company.

These principles ensure that Australian businesses proactively protect personal information, by for example, imposing contractual obligations on foreign companies they deal with about the handling of personal information.

Section 5B (the “long arm” jurisdictional rule) provides for the Privacy Act to operate extra-territorially thus affording protection to personal information transferred overseas within the same Australian organisation. This is subject to any local laws that conflict with the Privacy Act.

A failure to establish adequate protections to prevent personal information from being misused overseas may be a breach of the Privacy Act. A breach of the Act can be investigated by the Privacy Commissioner. When the Commissioner receives a complaint, she will investigate it and try to conciliate a mutually acceptable outcome. If the Privacy Commissioner finds a privacy breach she can issue a determination that can include the payment of compensation to people whose privacy has been breached.

Currently the Australian Law Reform Commission (ALRC) is undertaking a comprehensive Inquiry into the operation of the Privacy Act. As part of this Inquiry, on 9 October 2006 the ALRC released its first Issues Paper, which considers the issue of protecting personal data sent off shore. I am aware that many Australians have concerns about the transfer of their personal information overseas. I urge petitioners to make a submission to this inquiry to ensure that their views about the transborder flow of personal data are taken into account in any future law or policy reform in this area. The ALRC will be providing me with its report on 31 March 2008, and I will be giving due consideration to any recommendations made in that report.

Privacy and security issues surrounding the transfer of personal information between countries is also being discussed in a number of international fora, including the Asia-Pacific Economic Cooperation (APEC). As a member of the APEC Privacy Sub-group, Australia is considering ways of addressing these issues on a regional level. The Privacy Sub-group is currently working towards developing models for the international implementation of the APEC Privacy Framework. The Privacy Framework sets out nine privacy principles which provide clear guidance and direction to businesses operating in APEC economies. The Privacy Framework promotes a consistent approach to information privacy protection across APEC member economies, while avoiding the creation of unnecessary barriers to information flows.

During APEC 2007, the Attorney-General’s Department will host a series of privacy seminars focusing on Cross-Border Privacy Rules and regulator investigation and enforcement issues. The aim is to increase regional cooperation and coordination on privacy issues thereby guaranteeing minimum standards of privacy to personal information flowing across international borders.

Yours sincerely

Philip Ruddock

from the Attorney-General, Mr Ruddock, to a petition lodged on 4 December by Mr Murphy (from 3,523 citizens).