Your Privacy Policy must clearly stipulate that personal information will only be disclosed to overseas entities under certain circumstances and what those circumstances are. Furthermore, you must list the specific countries to which personal information may be disclosed or, where it is impractical to do so, list general regions.
However, it is not enough to merely have a Privacy Policy stating under what circumstances overseas disclosure of personal information will take place, without also steps to ensure that privacy is protected when you disclose it. It is necessary for businesses disclosing personal information to overseas entities to have in place agreements with these entities which ensure the confidentiality and protection of personal information. Ensuring proper handling of personal information is also important considering your business can be held accountable where a third party entity mishandles the information. The Office of the Australian Information Commissioner states:
“The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs, and makes the APP entity accountable if the overseas recipient mishandles the information.” - APP 8.1
In this regard it is required that SaaS businesses who are required to comply with the Act have well-drafted Service Agreements with confidentiality clauses. These aid in ensuring third party entities you engage maintain proper privacy practices and limits the chances your business will face the potential heavy fines associated with breaching the Act.