Earlier this year, significant changes to the Australian Privacy Act - the primary legislation dealing with the handling of personal information - came into operation.

The changes introduced a new rule limiting direct marketing across all channels, not just spam, and gave the regulator significant powers to impose fines of up to $1.7 million on businesses, as well as the ability to impose sanctions such as enforceable undertakings.

The changes to the Act were passed in late 2012 and since then the regulator has issued a range of guidance notes and run a public awareness campaign. As a consequence, Australians are very aware of their rights and their ability to access their information and have it corrected.

Australians are also concerned about their personal information being sent overseas where regulations may not be so strong and they may be subject to identity theft or credit card fraud. While this can be managed under the law by obtaining the informed consent of the individual, this may not be the case with certain contracts.

In line with this approach, many Australian government departments and agencies strictly prohibit the transfer of personal information about their staff being transferred overseas as a matter of contract. They are particularly sensitive to Australian personal information going to jurisdictions where it will be subject to the US Patriot Act.

This is problematic as many companies use cloud based communication and information storage systems which are located outside Australia.

If a business located outside of Australia has in place any contracts with an Australian government department or agency, they should review the requirements of their contract as they move to the use of cloud based services.

A recent news item has highlighted the importance of this.

Australian optometry services provider OPSM is owned by foreign conglomerate Luxottica. OPSM had been the sole provider of optometry services to the Australian Defence Force (ADF) in a contract worth $33.5 million.

The ADF cancelled that contract a month ago after it discovered that since September 2012, Luxottica and OPSM had been storing personal information of ADF personnel offshore. It is understood that while the information was not disclosed to third parties outside the Luxottica Group, the information was transferred offshore as part of Luxottica's IT system, prompting some security concerns from the ADF.

This is an issue that may apply to other companies who use cloud based services and who do not adequately advise end users.

Dealing with the way a company internally handles personal information - on a national and international level - is an area that companies need to consider from a risk perspective.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.