Myth v Fact – When we share our customers’ personal information with our contractors, their handling practices are not our problem

Turn your mind to the other businesses with which you share personal information – they may be based in Australia or overseas, they may receive personal information about a single customer (for example, to facilitate delivery of an order), or whole databases (for example, to carry out marketing campaigns or store your CRM).

The threshold issue to consider is whether you are permitted to share that personal information with that specific third party. This requires an examination of the reasons for the disclosure in the context of your privacy policy, collection notice and the applicable Australian privacy laws.

If you do share personal information about your clients or customers with parties in Australia, you may not be directly responsible for their handling of that information provided you were permitted to disclose the information in the first place. But, that party’s handling of the personal information may have flow on effects that cause you to be in breach of your obligations. When a data breach occurs, often more than one business is impacted.

However, if you share personal information with overseas-based businesses (such as outsourced administration service providers or database or software hosts), your business may be responsible for the personal information handling practices of these businesses.

It is critical to have in place appropriate privacy policies and robust contracts with contractors and third parties that impose strict privacy and confidentiality obligations on those parties.

Implementing these arrangements is not onerous. In fact, in an era where privacy is at the forefront of everyone’s mind, it is expected.

Contact our Privacy & Data Protection team to assist you to manage these risks.