These obligations exist to protect personal information and ensure compliance with legislation including the Privacy Act 1988. Within the Privacy Act, service providers are recognised as APP entities, required to adhere to the 13 Australian Privacy Principles (APP).
The program is aware that some service providers may be using off-shore call centres to access their client records. This is a formal notice under clause 42 of the service provider contract to cease doing so.
Risks regarding offshore access to client records
There are risks associated with service providers allowing offshore access to their data management systems. Information contained on a client hearing health record (client record) is personal but may also contain content that is sensitive in nature (e.g clients health, racial or ethnic origin).
A program clients record is required to be hosted on Australian based servers.
If this information is accessed by an overseas a third-party, this is considered an overseas disclosure, which then brings Australian Privacy Principle (APP) 8 into play.
APP 8 addresses cross-border disclosure of personal information. An example of this would be persons working for an offshore call centre which are allowed access by the service provider to client information.
There may be an increased risk of unauthorised access to this personal information as addressed by APP 11 – Security of Personal Information which could create a major compliance risk for providers. APP 11 requires reasonable steps are taken to protect the personal information an entity holds. The risk of unauthorised access to personal information increases where access is uninhibited. As the records are property of the Commonwealth, service providers would be considered responsible for the conduct of any oversea parties relating to client records.
Therefore, third-party access from outside Australia makes the service provider responsible for any mishandling of client information by those overseas staff.
Service Provider Contract and Legislation
Part 4 of the Hearing Services Program (Schedule of Service Items and Fees 2025-26) addresses the management of client records and requires that client records are kept on Australian servers and are not disclosed outside of Australia.
Hearing Services Program (Schedule of Service Items and Fees 2025-26) Instrument (No.2) 2025
Clause 11 of the Service Provider Contract addresses records and documentation and states that all voucher holder records are Commonwealth records.
These records are not to be taken out of Australia without the written consent of the Commonwealth as referenced in Clause 17.5 of the contract. Clause 19.5 of the contract also refers to the removal or disclosure of records and confidential information outside of Australia.
Possible Consequences
- It is a contract breach (which could result in suspension or termination of the contract),
- It is likely a Privacy Act breach, for improper overseas disclosure.
- The provider is legally responsible for anything the overseas third party does with the data.
Contact
