Aussie blue-chips come clean on data offshoring

Australia's big four banks, airlines, telcos and retail giants have been forced to disclose how and where they offshore data in order to satisfy new privacy rules that came into effect overnight.

A survey by iTnews of the revised privacy policies of some of Australia's blue-chip companies reveals the most common locations to send data offshore, the IT-related reasons for doing it, and the safeguards large organisations have in place to prevent things going awry.

The United States is the most common location for overseas data disclosure, followed by the United Kingdom, India, The Philippines, New Zealand, Singapore and China. In all, over 30 countries are disclosed as recipients of Australians' personal data.

Though some brands, such as retail giant Coles, have already suffered a backlash over its permissible locations to share data, other companies were far less transparent.

For example, Westfield and Holden simply list entire geographic regions or continents, rather than specific countries. Holden indicates that it "may" disclose data to virtually any country worldwide, by virtue of its extensive geographic list.

So what do Australia's largest organisations do with your data?

Telcos

Telstra's privacy statement tells customers that it may disclose data to third parties that supply it with IT and network services, as well as to other telcos with which it did business.

Challenger brand iiNet tells customers that it may make offshore data disclosures to professional services firms working in "software development, systems and technical support, data storage, marketing and product development".

Optus tells customers that data might find its way to outsourcers or to companies whose products Optus rebadges.

"These overseas companies are involved in providing services like data storage and customer and technical support," the telco notes in its Privacy Policy.

Vodafone Australia discloses that it "may store or sometimes disclose personal information to entities outside Australia, including… Vodafone's data hosting and other IT service providers" and to other Vodafone Group companies.

NBN Co, which only built its IT systems in recent years, notes that it has "contracted service providers in countries such as the USA and India, to whom NBN Co discloses personal information."

Retailers

Coles lists 23 countries where it shares data with third parties. Rival Woolworths indicates a variety of reasons why it might want to disclose data overseas, but provides only some examples of countries in which it does so.

One reason Woolworths states is where it has "made a business decision to store our data with a trusted service provider who is in the business of providing data storage and processing services".

The retailer also notes that a "reinsurer of some of our insurance offerings uses computer systems in Switzerland and the United States to store insurance-related personal information".

Westfield said it stored personal information either in its own computer systems or in a database, where it could then be "transmitted over the Internet" in an encrypted fashion, or "transferred across borders to recipients in foreign countries".

David Jones provides detailed disclosure on the countries it sends data to, and for what purpose. These include to the US for database management, the UK for order management, and New Zealand for payment processing.

Myer doesn't provide quite as detailed disclosure, though it notes that cross-border disclosure of data may be required when "storing data via a cloud service, or where Myer’s customer relationship management system is hosted on servers located overseas".

Banks

The Commonwealth Bank listed IT support providers among a long list of third parties it might want to disclose data to. ANZ and Westpac also briefly listed technology service providers.

Of the big four, NAB was perhaps most prescriptive, although it's list of countries to which data disclosures might be made wasn't definitive.

"We may store your information in cloud or other types of networked or electronic storage," NAB said. "As electronic or networked storage can be accessed from various countries via an internet connection, it’s not always practicable to know in which country your information may be held."

Airlines

Qantas tells customers the types of offshore third parties that might receive data were "data processors (including operators of global travel distribution systems), customer service providers and managers of our financial products located overseas".

Virgin Australia indicated that "some" of its technology, operational and customer service providers are also located overseas. "For example, we have a call centre in The Philippines and we use cloud service providers," the telco noted.

Tiger Airways disclosed that its "data storage and processing suppliers are based in Singapore."

Carmakers

Toyota Australia and Holden both said that IT service providers were one possible recipient of customer data. Ford listed several countries where disclosures might occur, but Honda Australia's policy did not specify overseas uses for data.