Commonwealth Government agencies (agencies) are required to comply with the Information Privacy Principles (IPPs) in the Privacy Act 1988 (Cth) (the Privacy Act) when handling personal information. At times agencies contract out (outsource) a function that requires a contractor to collect and handle personal information on behalf of the agency. This information sheet deals with the obligations of agencies and contractors under the Privacy Act when this occurs. It replaces the guidelines that the Privacy Commissioner (the Commissioner) issued in August 1994 called Outsourcing and privacy - Advice for Commonwealth agencies considering contracting out (outsourcing) information technology and other functions.
Amendments to the Privacy Act contained in the Privacy Amendment (Private Sector) Act 2000 (Cth) commence on 21 December 2001.Those amendments contain new provisions that apply to agencies and their contractors. These new provisions do not apply to ACT government agencies or their contractors.1
Under this legislation, a contract between an agency and a contractor (or between a contractor and any subcontractor for such a contract) is to be the primary source of the contractor's obligations in relation to the personal information collected or handled for the purpose of performing the contract. This means that agencies continue to have contractual remedies against a contractor that breaches a privacy clause in a contract. (Although the agency will not have contractual rights against the subcontractor.)
The legislation also ensures that contractors and their subcontractors can be held accountable under the Privacy Act for any breaches of privacy obligations that they commit. An individual who considers that a contractor or subcontractor has breached their obligations in the handling of personal information about them can complain to the Commissioner who has jurisdiction to directly investigate the actions of the contractor or subcontractor. These are significant new rights and obligations.
The standards the Commissioner would apply in investigating a complaint are those set out in the contract. Also, for areas where there is no provision in the contract that is equivalent to the National Privacy Principles (NPPs) (the information handling standards that apply to private sector organisations covered by the Privacy Act), the NPPs are the standard.
Definition of contracted service provider
The definition of 'contracted service provider' (CSP) in section 6(1) of the Privacy Act includes the terms 'government contract' and 'subcontractor'. The definitions of those terms and 'Commonwealth contract' are relevant to understanding the contracting out amendments and to whom they apply. The new provisions do not apply to the activities private sector contractors carry out to provide services under contracts with State or Territory governments. Therefore, the term 'CSP' used in this document only refers to contractors under Commonwealth contracts and subcontractors for such contracts.
Obligations on Commonwealth agencies contracting out services
Requirements under section 95B
The Privacy Act ensures that an agency cannot use a contract to avoid its own obligations under the IPPs by authorising a CSP to do something that the agency itself is not permitted to do.
Contractual measures to prevent breach of IPPs by contractor When entering a Commonwealth contract, section 95B of the Privacy Act requires an agency to take contractual measures to ensure that a CSP for the contract does not do an act, or engage in a practice, that would breach an IPP if done by the agency. In particular, the agency must ensure that the Commonwealth contract does not authorise a CSP for the contract to do or engage in such an act or practice.
Contractual measures to prevent breach by subcontractor Some agencies may have clauses limiting or prohibiting subcontracting. However, where subcontracting is a possibility the agency must ensure that the Commonwealth contract contains provisions to ensure that an act or practice that would breach an IPP is not authorised by a subcontract. One way of doing this is to include in the primary contract a clause that requires the contractor to include in any relevant subcontract clauses that impose the same privacy requirements on the subcontractor as apply to the contractor.
Good practice to refer to NPP obligations of CSPs Agencies are only required to include privacy clauses in Commonwealth contracts that are consistent with their own obligations under the Privacy Act. However, the NPPs apply to the activities of a CSP in relation to the Commonwealth contract in areas where the IPPs have no equivalent provisions. To give a CSP a complete picture of its privacy obligations in relation to its activities under the contract it would be good practice for agencies to include in the contract provisions that also refer to the relevant NPPs.
Application of section 95B to existing contracts Section 95B does not apply to contracts that an agency has already entered into before 21 December 2001. So agencies are not required to amend contracts they have entered into before this date to comply with the requirements of section 95B. However, the Commissioner encourages agencies to review and take steps to amend their contracts where it is possible and reasonable to do so. A minimal step would be to write to each contractor and let them know how the new provisions (and in particular the NPPs) will apply to them from 21 December 2001.
An agency would have to ensure that any contract it renews after 21 December 2001 complies with section 95B requirements.
Consequences of breaching section 95B Breaches of section 95B are likely to become apparent to the Commissioner in the course of regular agency audits the Office of the Privacy Commissioner (the Office) carries out, or when an individual makes a complaint that involves a CSP. In the case of an audit, the Commissioner may require an agency to take a number of steps to remedy any breach. In the case of a complaint about a CSP that indicates that an agency may be in breach of section 95B the Commissioner is likely to undertake an audit to confirm whether or not this is the case.
Contracts to provide services to third parties
Providing services to third parties under a contract The definition of a CSP covers:
- the provision of services directly to the agency concerned; and
- the provision of services to third parties on behalf of an agency, where the provision of those services is in connection with the performance of the functions of the agency - section 6(9).
Where a contractor is providing services directly to an agency, it will be clear that the contractor is a CSP for a Commonwealth contract. However, where services are to be provided to third parties on behalf of an agency it may be less clear. In this case, to decide whether the contractor is a CSP for the purposes of section 95B of the Privacy Act an agency will need to consider whether the service to be provided under the contract is connected with the performance of the functions of the agency.
Some ways to work out the functions of an agency would include looking at the agency's statutory functions and administrative arrangements.
Where a contractor providing services to a third party on behalf of an agency is a CSP, the agency will need to ensure that the contractor is aware that they are a CSP in providing those services.Grants to provide services to third parties If the service to be provided under the contract is not connected with the performance of the functions of the agency then the special provisions in the Privacy Act about CSPs for Commonwealth contracts including section 95B do not apply. An example of this might be where an agency enters into a contract to provide Commonwealth funds (for example, a grant) to a body to provide services (for example legal or welfare services) to members of the community. If providing those services is not is not a function of the agency then the body receiving the grant would not be a CSP for a Commonwealth contract.
Although the Privacy Act does not require agencies to include contractual provisions about privacy in these circumstances the Commissioner encourages agencies to do so as good practice. This is particularly important where the body receiving funding is exempt from coverage of the Privacy Act (for example, if it has a turnover of $3 million or less and it is not providing a health service).
Agency contracting with a State or Territory
CSP is defined in section 6(1) of the Privacy Act to cover certain organisations. The definition of 'organisation' in section 6C excludes a 'State or Territory authority' (which is defined in section 6C(3)). Therefore, State or Territory authorities are not included in the definition of 'CSP'. This means that a State or Territory authority providing services under contract with an agency is not covered by the Privacy Act. However, in these circumstances agencies would still need to consider their obligations under IPP 4(b) to ensure that everything reasonable is done to prevent unauthorised use or disclosure of the personal information involved. Agencies should continue to include privacy clauses in contracts with a State or Territory authority where the authority will be handling personal information on behalf of the agency.
Obligations on agency contracting offshore
The obligations under section 95B of the Privacy Act to ensure that a CSP complies with the IPPs apply regardless of whether the contractor is in Australia or offshore. Extra-territorial operation is achieved by virtue of section 5B. Section 5B(4) ensures that the Commissioner has jurisdiction to investigate a complaint in these circumstances. Clearly, however, when contracting offshore, agencies need to make sure that they are still able to enforce the provisions of the contract.
Obligations on CSPs continue after contract ends
The use of the past tense in the definition of CSP ensures that obligations on CSPs to protect any personal information acquired under the contract continue even after the completion or termination of the contract. It also ensures that complaints about the acts or practices of CSPs under a Commonwealth contract may be taken to the Commissioner even after the completion of the contract. It would be good practice for agencies to include information about this either in the contract or in other information they give to the CSP.
Small business operators as CSPs
Under the Privacy Act many small businesses are exempt from having to comply with the NPPs (see section 6D). However, an individual, body corporate, partnership, unincorporated association or trust cannot take advantage of the small business exemption for anything they do as a CSP for a Commonwealth contract. A CSP of whatever size is bound by the legislation (and contract) in relation to its performance of the contract. The small business exemption could apply to all its other activities - see sections 6D(4)(e) and 7B(2) of the Privacy Act.
Additional obligations on CSPs to comply with NPPs (or approved code)
Privacy clauses in Commonwealth contracts prevail where they are inconsistent with the NPPs or a code to which the CSP may be subject (section 6A(2) and 6B(2)). If a privacy clause in a Commonwealth contract is consistent with a NPP (or relevant approved code), or if there is no clause in the contract corresponding to the NPP (or to any approved code), the NPP (or the approved code) will apply to the CSP concerned.
In practical terms, this means a CSP must comply with the terms of any Commonwealth contract. In addition, where there is no clause or requirement under the contract corresponding to a matter covered by the NPPs (or relevant approved code), a CSP also must comply with those NPPs (or any approved code) not addressed in the contract in respect of the services it provides to the agency. This applies to any CSP, including one that is able to claim the small business exemption in relation to its other activities.
Possible privacy clauses in a Commonwealth contract
Clauses to meet section 95B obligations
Simply having a provision in a Commonwealth contract that says the contractor agrees not to do an act or engage in a practice that would breach an IPP if that act or practice was done or engaged in by an agency will generally not be sufficient to ensure that an agency has met its obligations under section 95B. In a number of cases agencies will need to have more specific or practical provisions.
For example, an agency will need to consider how it will go about ensuring that a contractor does not breach IPP 5. One option may be to maintain a privacy digest that includes information about the personal information held by contractors rather than have the contractor do this.
Also agencies currently meet their access obligations under IPP 6 using the Freedom of Information Act 1982 (Cth) (FOI Act). However this does not apply to contractors. To ensure that a contractor meets its access obligations, an agency will need to have specific provisions addressing this. The provisions could reflect the process that is currently followed under the FOI Act, or the provisions could reflect the approach adopted in the Guidelines to the National Privacy Principles and associated information sheets. Agencies may need to get legal advice about this.
Clauses to meet NPP obligations
CSPs are required to comply with the NPPs where there is no clause in the contract corresponding to the NPPs (or relevant approved code, whichever is applicable). Also, some of the NPPs set a higher standard in areas of privacy covered by the IPPs. To ensure that contractors are aware of their NPP obligations and to ensure that where appropriate individuals receive a level of protection for their personal information equivalent to the NPPs where the standards are higher, it would be good practice for agencies to consider what provisions they might include to address the NPPs. Issues the agency might like to consider include:
- in relation to NPP 7 (identifiers) - should the contract have provisions reflecting NPP 7 obligations not to adopt, use or disclose Commonwealth government identifiers?
- In relation to NPP 8 (anonymity) - should the contract require the contractor to allow individuals interacting with the contractor to remain anonymous in certain circumstances?
- In relation to NPP 9 (transborder data flows) - should the contract require the CSP to comply with NPP 9 requirements if transferring information overseas is a requirement of the contract?
- In relation to NPP 10 (collection of sensitive information) - if the contractor is required to collect health or other sensitive information should there be a provision in the contract that requires the contractor to get the individual's consent to do so?
Privacy clauses to meet other Privacy Act obligationsIn order to ensure that the CSP is aware of its obligations under section 16F in relation to direct marketing, the agency could make it clear to the contractor whether or not the contract requires the CSP to carry out direct marketing for the purposes of the contract. If the contract does not require direct marketing, the agency could include a provision that states that the CSP is not to use information collected under the contract for direct marketing purposes.
Finding out what privacy standards apply
Openness about managing personal information
Both the IPPs and the NPPs require agencies and organisations to be open about their policies on management of personal information. Consistent with those requirements, the Privacy Act ensures that policies on the management of personal information included in clauses in Commonwealth contracts are not hidden because the contract is classified as 'commercial-in-confidence'.
Provisions inconsistent with NPP or binding code not 'commercial in confidence'
If a person asks for it, a party to a Commonwealth contract must inform the person in writing of the content of any provision in the contract that is inconsistent with an approved code binding a party to the contract or with a NPP (see section 95C).
By finding out if any provision in the Commonwealth contract is inconsistent with an approved code or NPP, an individual will be able to work out if a particular act or practice of the CSP is breaching a privacy clause included in the Commonwealth contract. For example, the contract may contain a provision concerning the contractor's ability to use or disclose personal information that is not consistent with NPP 2. If asked, a party to the contract would be required to inform the person of the content of that provision.
Compliance by giving a copy of privacy clauses
In practice, to comply with this requirement all an agency or CSP needs do is provide a copy of the privacy clauses in the relevant contract.
Interference with privacy by CSPs
Section 13A(1)(c) provides that an act or practice of a CSP that breaches a privacy clause will constitute an interference with privacy. Similarly, an act or practice of a CSP that breaches a NPP (or a relevant approved code) will constitute an interference with privacy, where there is no clause in the contract corresponding to the NPP (or approved code) or if a clause is consistent with an NPP (or relevant code). An act or practice of a CSP that contravenes section 16F (which prohibits the use or disclosure of personal information collected under a Commonwealth contract for direct marketing unless the use or disclosure is necessary to meet (directly or indirectly) an obligation under the contract) will also constitute an interference with privacy.
Application of the Privacy Act to existing contracts
The Privacy Act has some application to contracts made before 21 December 2001 that include privacy clauses. After that date acts or practices of a CSP in relation to the contract can constitute an interference with the privacy of an individual under the Privacy Act, despite the fact that the contract may have been entered before the commencement of the new provisions. Where an agency has already included privacy clauses in its Commonwealth contract and a CSP breaches a relevant provision of the contract an individual has the right to complain to the Commissioner (and the Commissioner has jurisdiction to directly investigate the acts and practices of the CSP). If an existing Commonwealth contract does not have privacy clauses in it on 21 December, the NPPs or relevant code will apply to the acts and practices of the CSP from that date.
Complaints process for Commonwealth contracts
The Commissioner handles complaints about CSPs
The Commissioner handles and investigates all complaints about a CSP even if the CSP is subject to an approved code that provides for an independent adjudicator. If the complaint concerns an act or practice of the CSP, the CSP itself will be the respondent to the complaint, not the contracting agency. The Commissioner is also required to advise the agency of the investigation or any decision not to investigate.
Agency can be substituted for respondent in certain circumstances
Where the CSP is not available or appropriate as respondent to the complaint for any of the reasons specified in section 50A(1)(b) (the respondent dies, ceases to exist or becomes bankrupt etc) the Commissioner may choose to substitute the agency for the CSP as the respondent. However, before making such a decision, the Commissioner is required to give the agency the chance to appear before the Commissioner and to make oral and/or written submissions concerning the proposed substitution of the agency as respondent.
Commissioner's complaint handling process and powers
The Commissioner's usual complaint handling powers under Part V of the Privacy Act apply to complaints about CSPs. These include wide-ranging powers to obtain information and to take evidence under oath. The Commissioner tries to conciliate complaints but where conciliation fails can also make a formal determination under section 52 which may include:
- a declaration that the respondent should redress any loss or damage suffered by the complainant; and
- a declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered.
The Commissioner can seek to have such determinations enforced in the Federal Court or the Federal Magistrates Court.
Substitution of the agency as respondent to determination
Where the Commissioner's determination includes a declaration that the complainant is entitled to compensation or reimbursement and the CSP is not available for any of the reasons specified in section 53B(c) (the respondent dies, ceases to exist or becomes bankrupt etc), the Commissioner may substitute the agency as the respondent to the determination. Again, before making such a decision, the Commissioner must give the agency the chance to appear before the Commissioner and to make oral and/or written submissions concerning the proposed substitution.
Summary of matters agencies should consider when contracting out services
- Agencies should include appropriate privacy clauses in contracts to ensure that CSPs do not act in a way that would be a breach of the IPPs if the act or practice was done by the agency itself.
- Agencies should be aware that simply stating in the contract that the CSP should not breach the IPPs is unlikely to meet their obligations under section 95B and that, in particular, the agency may need specific provisions relating to openness (IPP 5) and access (IPP 6).
- Agencies should also ensure that contracts contain provisions that prevent subcontracts from authorising an act or practice that would be a breach of the IPPs if the act or practice was done by the agency itself.
- If a contract involves the provision of services to third parties, agencies should consider whether those services are connected with the performance of their functions. If the services are connected the agency will need to ensure that it complies with its obligations under section 95B and ensure the CSP is aware of the special provisions under the Privacy Act that apply to it.
- Agencies should be aware that if there is no clause in the contract corresponding to the NPP (or to a relevant approved code) in the contract, the NPP (or the approved code) will apply to the CSP.
- Agencies should consider whether it is appropriate to include in the contract privacy clauses addressing the following NPPs (or the code equivalent):
|o NPP 7||Government identifiers|
|o NPP 8||Option of remaining anonymous|
|o NPP 9||Disclosure to organisations in foreign countries|
|o NPP 10||Collection of sensitive information.|
- Agencies should state in the contract whether or not the contract requires the CSP to engage in direct marketing and if the contract does not require direct marketing it should confirm the CSPs obligation not to use the information it collects under the Commonwealth contract for direct marketing.
- Agencies are required to provide a person who asks for a copy of the privacy clauses in a contract that are inconsistent with the NPPs (or with a relevant approved code binding to a party to the contract) with a copy of those clauses.
- Agencies should be aware that complaints about acts or practices of a CSP will be investigated by the Commissioner, with the CSP as the respondent (unless the Commissioner decides otherwise).
- Agencies should also be aware that the Commissioner may substitute an agency for a CSP as a respondent to a complaint if the organisation that is the contractor dies, ceases to exist or becomes bankrupt etc, and that the agency may be liable to pay compensation if the Commissioner so decides.
Summary of matters CSPs should consider when entering Commonwealth contracts
- Even if a CSP is a small business usually exempt from the NPPs, the CSP will need to comply with the Privacy Act (and the contract) in relation to its activities under the Commonwealth contract.
- A contractor will need to be aware where it provides services to third parties on behalf of an agency it will be a CSP if those services are connected with the performance of the functions of the agency. If the services are connected, the contractor will be subject to special provisions in the Privacy Act that apply to CSPs. If, as a matter of good practice, an agency has not indicated whether a service is connected with a function of the agency, a contractor should check with the agency.
- A CSP (and the agency) is required to provide a person who asks for a copy of the privacy clauses in a contract that are inconsistent with the NPPs (or with an approved code binding a party to the contract) with a copy of those clauses.
- The Privacy Act prohibits CSPs from using or disclosing personal information collected under a Commonwealth contract for direct marketing unless the use or disclosure is necessary to meet (directly or indirectly) an obligation under the contract.
- CSPs should be aware that if there is no clause in the contract corresponding to the NPP (or to a relevant approved code), the NPP (or the relevant approved code) will apply to the CSP.
- CSPs should be aware that there would be some additional obligations on them
over and above the IPPs (unless the contract otherwise provides) because the
NPPs (or the code equivalent) deal with some things not addressed by the IPPs.
- NPP 7 Government identifiers
- NPP 8 Option of remaining anonymous
- NPP 9 Disclosure to organisations in foreign countries
- NPP 10 Collection of sensitive information.
- CSPs should be aware that the Commissioner has the power to investigate complaints and undertake own motion investigations of acts and practices of CSPs.
- Unless the Commissioner decides otherwise, the CSP will be the respondent to any complaint to the Commissioner about activities of the CSP and if compensation is payable, the CSP will be responsible for paying the compensation.
- CSPs should be aware that the NPPs will apply to their business activities that are not related to the Commonwealth contract unless the CSP is otherwise exempt (for example, because it is a small business operator in relation to those activities).
For a detailed legal briefing and model clauses for contracting Service Providers, see the AGS Legal Briefing and model clauses for privacy & Commonwealth agency outsourcing, available @ http://www.privacy.gov.au/government/contractors/
About Information Sheets
Information sheets are advisory only. They are not legally binding and are not intended to be a substitute for legal advice.
Information sheets are based on the Office's understanding of how the Privacy Act works. They are intended to help agencies and organisations apply the Privacy Act in ordinary circumstances. Agencies and organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy freedom to investigate complaints under the Privacy Act or to apply the Privacy Act in the way that seems most appropriate to the facts of the case being dealt with.
Agencies and organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner ISBN 1- 877079- 38 - 3 Privacy Hotline 1300 363 992 (local call charge)
1. Although other provisions of the Privacy Act apply to ACT agencies as a result of the Australian Capital Territory Government Service (Consequential Provisions) Act 1994