Last review date: 31 December 2024

☒ Yes 

The obligations are as follows:

☒         other

There is currently no distinction under the Privacy Act between data controllers and data processors. The obligations under the Act apply to entities which collect and hold personal information. The Privacy Act is non-prescriptive about the type of controls which must be applied to data processors. However:

• Unless an exception applies, APP entities which disclose personal information to overseas recipients must take reasonable steps to ensure that the overseas recipient does not breach the requirements of the APPs (other than APP 1) (APP 8.1), and
• APP entities that hold information must take reasonable steps to protect that information from misuse, interference and loss and from unauthorized access, modification or disclosure (APP 11), and these steps include taking technical and organizational measures. Where an APP entity makes data available for access and processing by another entity, the APP entity may still be regarded as holding that information, depending on the circumstances.

Generally speaking, it will be a reasonable step to conduct due diligence on a proposed processor and put a binding agreement in place that protects the personal information being processed.

There may be additional considerations or requirements under State and Territory public sector privacy laws, health records laws, surveillance laws, telecommunications and critical infrastructure laws where relevant.

Among other things, the report on the review of the Privacy Act recommends – and the government agrees or agrees in-principle – that:

• A controller/processor distinction should be implemented to recognize that
• Different entities have differing degrees of control over the handling of personal information
• Standard contractual clauses should be made available for APP entities to use when transferring personal information overseas
• APP 11 should be amended to include a set of baseline privacy outcomes, and
• Entities would be required to establish minimum and maximum retention periods for personal information.

Last review date: 31 December 2024

☒  Yes

If an APP entity collects personal information and no exemptions apply, it will be subject to the requirements of the APPs, irrespective of whether it is a "processor" or a "controller." Similarly, State and Territory public sector privacy laws, health records laws, surveillance, telecommunications and critical infrastructure laws do not distinguish between processors and controllers.

As noted in a previous response, the report on the review of the Privacy Act proposes – and the government agrees in-principle – that the law should be reformed to introduce a partial controller/processor distinction, to recognize that different entities have differing degrees of control over the handling of personal information.