Skip to content
LegalVision

Key Considerations When Sharing Personal Information with Overseas Contractors

Avatar photo

By Saya Hussain
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Claude logo Claude Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Engaging overseas contractors can be an effective way for businesses to respond to their business needs. However, while there are many advantages to hiring overseas contractors, you must consider this against legal risks, such as the risk of sharing the personal information of Australian individuals with overseas parties. This article considers how you can comply with your privacy obligations under the Australian Privacy Principles outlined in the Privacy Act 1988 (Cth) when disclosing information with overseas contractors.

Are You an APP Entity?

Before sharing information with an overseas contractor, you must determine if you are an APP entity. This distinction is important because if an APP entity shares information overseas and that overseas party breaches the APPs, that breach will be taken to be a breach by the APP entity itself.

An APP entity is a business that needs to comply with the Australian Privacy Principles (APPs) outlined in the Privacy Act 1988 (Cth) (Privacy Act).

For example, suppose your business generates more than $3 million in annual turnover. In that case, it will likely be considered an APP entity and will have obligations under the Privacy Act, including concerning the disclosure of personal information overseas.

Sharing Information With Overseas Contractors

Suppose you are an APP entity. If so, let us explore several precautionary measures you can take when sharing information with your overseas contractors.

1. Privacy Policy

Before sharing information with any third party (including overseas contractors), you should review the terms of your privacy policy to ensure that you have informed your customers that you will share their personal information with overseas contractors.

If you have yet to inform customers of this intended use, you can update your privacy policy and provide notice of this to your customers. You should aim to give your customers at least 30 days’ notice before the privacy policy comes into effect. Accordingly, this will allow your customers to inform you of any issues with your intended use of their personal information before you disclose it.

2. Risk Mitigation

As a best practice, you should only share information essential for your overseas contractors to be able to deliver the services.

When engaging an overseas contractor, consider the following questions.

1. Whether the volume of information you are sharing with the contractor is necessary to enable them to perform the services?

Tip: As a rule, do not provide the contractor with more personal information than is necessary. The more information you share, the higher the risk of individuals using data in a way that breaches the APPs.

2. What is the nature of the information?

Tip: You should consider the nature of the information, and whether it is personal or sensitive information. Sensitive data requires a higher level of confidentiality due to its delicate nature.

3. How much access does the contractor have to my existing databases?

Tip: Ensure that you only provide access to the databases that the contractor needs to perform their services. All other access should be limited or subject to your approval.

3. Contractual Terms

You should ensure that the terms of your contractor agreement impose strong privacy obligations on the contractor, particularly concerning any personal information they receive or have access to during the term.

You can include clauses addressing the following:

  • an acknowledgement by the contractor that you are required to comply with the APPs;
  • a warranty that the contractor will not breach the APPs;
  • an indemnity by the overseas contractor if it breaches the APPs (for example, by disclosing personal information to an unauthorised party); and
  • a data breach response plan that includes a straightforward process for reporting a data breach.
Front page of publication
The Ultimate Guide to Starting an Online Business

It’s now easier than ever to start a business online. But growing and sustaining an online business requires a great deal of attention and planning.

This How to Start an Online Business Manual covers all the essential topics you need to know about starting your online business.

The publication also includes eight case studies featuring leading Australian businesses and online influencers.

Download Now
Continue reading this article below the form
Loading form

Key Takeaways

If you are an APP entity looking to engage an overseas contractor, be aware of your obligations under the Privacy Act. Likewise, implement robust processes to mitigate any risk of overseas disclosure breaching your legal obligations. Some steps you can take include:

  • reviewing the terms of your privacy policy;
  • implementing or strengthening your internal security measures; and d
  • rafting an explicit contractor agreement with strong privacy clauses.

If you need help with a website privacy policy, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What is an APP entity?

An APP entity is a business that must comply with the Australian Privacy Principles outlined in the Privacy Act 1998 (Cth). 

What should I include in my privacy policy?

Your Privacy Policy should state the type of information your business collects and how that personal information will be used, disclosed and stored. 

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Saya Hussain

Saya Hussain

| View profile

Read all articles by Saya

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Legal Considerations Around Recording Customers Who Enter My Business

How Do I Handle Data Access Requests to an Individual’s Health Records if They Do Not Have Capacity?

E-Commerce Laws You Must Know To Run An Online Business

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards