Luxottica was awarded the contract by the ADF in 2012 under which it provided optical services to all ADF personnel. At that time, Luxottica claimed that it would exclusively offer eye services to more than 80,000 ADF personnel each year primarily through its OPSM stores.
Earlier this month, the ADF’s service provider, Medibank Health Solutions (MHS) revealed that Luxottica had breached its contract with ADF by sending ADF medical records overseas, when the contract required ADF medical records be kept in Australia.
It is understood that the ADF medical records were sent to Luxottica’s own server located overseas and included personal information such as name, military unit and results of eye tests and prescriptions.
While the overseas country to which the ADF medical records were sent has not been identified, MHS stated there was no indication the personal information had been passed to any parties beyond those working for Luxottica, including Luxottica’s information technology partners.
The ADF is in the process of contacting the affected ADF personnel and also seeking an alternative optometry provider.
In addition to complying with the APPs relating to the overseas disclosure of personal information, you should ensure that the contract your business enters into that governs the collection, use and disclosure of that personal information does not prohibit your business from sending that personal information overseas (as did the contract between Luxottica and the ADF).
To avoid breaching your privacy obligations under the APPs and contractual obligations, you should seek expert advice. McCullough Robertson can provide you with advice about your privacy obligations under specific contracts and also in relation to the development of your own privacy compliance strategy in accordance with the APPs.