Government contractors

14.98 While information about federal, state and territory privacy regimes is publicly available, Australian Government, and state and territory agency contracts are not. This makes it difficult to detect whether contractual privacy provisions are inconsistent with the Privacy Act.[127]

14.99 The OPC has expressed the view that, in many cases, contractual privacy provisions are an appropriate way to incorporate higher privacy obligations than may otherwise apply, or to maintain privacy protections that apply already to personal information. For example, they may compel a contractor to undertake specific privacy-related activities, such as mandatory reporting of suspected privacy breaches, or to undertake staff training.[128]

14.100 Other stakeholders expressed the view that privacy clauses in contracts often are overly legalistic, claiming to cover all possibilities but too often failing to allocate clearly responsibility for breaches.[129]It was suggested that Australian agencies have taken an inconsistent approach to documents containing information regulated by the Privacy Act.[130]

Commonwealth contracts

14.101 The Privacy Act imposes obligations on agencies entering into contracts to provide services to or on behalf of the agency. Section 95B requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a contracted service provider for the contract, or a subcontractor, does not do an act or engage in a practice that would breach the IPPs. The Act defines a ‘contracted service provider’ as ‘an organisation that is or was a party to the government contract and that is or was responsible for the provision of services to an agency or a State or Territory authority under the government contract’, or a subcontractor for the government contract.[131]

14.102 A small business that is also a contracted service provider will be subject to the Privacy Act in respect of the performance of that contract.[132] A state or territory authority contracting with an agency will not be covered by the Act. A ‘State contract’ is defined as a ‘contract, to which a state or territory or state or territory authority is or was a party, under which services are to be, or were to be, provided to a state or territory authority’.[133] Section 16F of the Act provides that an organisation must not use or disclose personal information for direct marketing unless the use or disclosure is necessary to meet an obligation under the contract.

14.103 An act done or practice engaged in by a contracted service provider for the purposes of meeting an obligation under a contract will not breach an NPP or an approved privacy code if the act or practice is authorised by the contract. Therefore, the NPPs or a code can be varied by the contract and a breach of an NPP or code will not have occurred if the contractual obligations require the contracted service provider to do an act or practice that would be inconsistent with an NPP or an approved code to which it is bound.[134]

14.104 The Privacy Commissioner has jurisdiction to investigate the action of a contractor or subcontractor. Section 13A(1)(c) provides that a breach of a ‘non-complying’ privacy provision in a Commonwealth contract is an interference with privacy. The standards the Privacy Commissioner would apply in investigating a complaint are those set out in the contract.[135]

14.105 The obligations under s 95B extend to a contracted service provider who is not within Australia.[136] Although the Privacy Commissioner could take action overseas to investigate complaints, enforcement of the provisions of the contract overseas may be difficult.[137]

14.106 In DP 72, the ALRC did not make any proposals to amend the Commonwealth contractor provisions under the Privacy Act. The ALRC noted the OPC’s submission that the Act does not restrict Australian Government agencies from including contractual clauses that refine existing privacy obligations, or impose additional obligations on a contractor, which may be appropriate under certain circumstances. The OPC submitted that, in this regard, the current provisions are appropriate and effective.[138] The OPC stated, however, that the definition of ‘contracted service provider’ in the Act could be reviewed to ensure that it is adequate to cover all the types of activities that private sector organisations might perform on behalf of agencies.[139]

14.107 A number of stakeholders considered that the provisions are unclear and require redrafting.[140] For example, the OVPC submitted that it is not clear whether contracted service providers are able to contract out of their obligations under the NPPs or a code, and highlighted difficulties about the enforceability of provisions that purport to bind contractually a service provider to the privacy obligations of a government agency.[141]

14.108 The ALRC expressed the preliminary view that the contracted service provider provisions under the Privacy Act remain appropriate and effective. The ALRC, however, did ask whether the definitions of ‘contracted service provider’ and ‘State contract’ under the Privacy Act are adequate, and whether they covered all the types of activities that organisations might perform on behalf of agencies.[142]

Submissions and consultations

14.109 A number of stakeholders submitted that the definitions under the Privacy Act are adequate and cover all the types of activities that organisations might perform on behalf of a government agency.[143] Privacy NSW submitted, however, that the term and definition of ‘contracted service provider’ be replaced with a term and definition covering a broader spectrum of arrangements such as data services, temporary employees and students. It submitted that the definition should be as inclusive as possible, and suggested the following: ‘a person employed or engaged by the agency or organisation in the course of employment or engagement’.[144]

14.110 Privacy NSW also submitted that, where agencies and organisations engage with third party entities, those third parties should be required to ensure that ‘sub-contractors’ are also bound to comply with the UPPs. Further, the agency or organisation should be responsible for the information while it is subject to dealings with a third party. This will enable individuals to know to whom to complain in the event that they believe that there has been an interference with their privacy.[145]

14.111 National Legal Aid submitted that the current provisions create an arbitrary and somewhat artificial distinction between the way governments contract with organisations to provide government services and the way they fund organisations to provide services that benefit the community. In this sense, it argued, the provisions are confusing. It noted that the adoption of the ALRC’s reforms for more uniform privacy legislation and for removing exemptions from the definition of organisations may remove some of the complexity.[146]

14.112 The OVPC reiterated its view that it is unclear whether contracted service providers are able to contract out of their obligations under the NPPs or a code. The OVPC suggested that the position in Victoria is clearer in this regard. In principle, organisations cannot contract out of their privacy obligations under the Information Privacy Act 2000 (Vic).[147] The OVPC noted that this is not to say that the provisions under the Information Privacy Act are necessarily the best model.[148]

14.113 PIAC submitted that the provisions dealing with contracted service providers should be amended to make it clear that organisations cannot contract out of their privacy obligations and responsibilities. It submitted that provisions similar to the contractor provisions under the Information Privacy Act should be incorporated into the Privacy Act.[149]

14.114 The OVPC highlighted issues related to the enforceability of provisions that purport contractually to bind a service provider. It submitted that there are two options for dealing with this issue:

  • make outsourcing or funding agencies responsible for the actions of their contractors and leave it to the government agencies to pursue the contractor for privacy breaches through indemnities; or

  • leave the outsourcing agency and contracted service provider both liable for privacy breaches and allow the complainant the option of pursuing either or both—similar to the situation with manufacturer and retailer liability.

14.115 In the OVPC’s view, the first option provides greater clarity and suggests that accountability rests with the government. The second option gives the complainant greater flexibility to pursue parallel or alternative rights to seek redress.[150]

ALRC’s view

14.116 The definitions of ‘contracted service provider’ and ‘State contract’ under the Privacy Act are adequate. The ALRC notes the comments by Privacy NSW that the definitions should be amended to include a broader range of arrangements such as data services, temporary employees and students. In the ALRC’s view the current definitions would capture these arrangements. This definition also would capture Public Private Partnerships (PPPs) that are established by contract.[151]

14.117 The ALRC also has concluded that the Privacy Act provisions relating to Commonwealth contractors remain appropriate and effective. The ALRC notes the comments of stakeholders that the contracted service provider provisions are unclear. While the ALRC does not share this view, the redraft of the Privacy Act recommended in Chapter 5 may deal with these concerns.

14.118 Problems caused by government contractors being subject to two or more sets of privacy principles will be addressed partly by the UPPs replacing the IPPs and NPPs. The ALRC is conscious, however, that it still will be possible for a federal agency and an organisation to be subject to different privacy standards.

14.119 An agency may be subject to more stringent privacy standards than a contracted service provider. For example, under the ‘Direct Marketing’ principle an organisation is permitted to use or disclose personal information in certain circumstances for the purposes of direct marketing, an agency is not. Further, because of the operation of the different exceptions for organisations and agencies under the ‘Access and Correction’ principle, an organisation may be permitted to provide access to personal information in circumstances where an agency would not. This is because the ‘Access’ principle that relates to agencies is constrained by the limits of the Freedom of Information Act 1982 (Cth). Conversely, an agency—such as a law enforcement or intelligence agency—may be exempt from complying with the Privacy Act, while an organisation may still be subject to all the UPPs.

14.120 The government contractor provisions of the Privacy Act provide an adequate solution to this problem. It is appropriate that organisations should be subject to the same privacy principles as an agency when contracting with that agency. The ALRC has therefore concluded that the provisions should be retained to ensure that organisations that contract with an Australian Government agency are subject to the same privacy principles as the agency itself.

14.121 The government contractor provisions could result in an organisation being subject to the more stringent privacy obligations of an agency. The ALRC acknowledges, however, that the government contractor provisions could result in an organisation having to comply with a contract provision that imposes less stringent privacy obligations on the organisation than it would usually be required to comply with under the UPPs. Section 95C of the Privacy Act provides some transparency in relation to these arrangements.[152] In the ALRC’s view, this provision should be retained.

14.122 Other Privacy Act provisions relating to government contractors also should be retained, including those relating to direct marketing. If the ALRC’s recommendation to remove the small business exemption is not implemented, the equivalent of s 6D of the Privacy Act should be retained. Section 6D provides that a small business that is also a contracted service provider is subject to the Privacy Act in respect of the performance of that contract.[153]

14.123 It is unnecessary to amend the Privacy Act to clarify whether the outsourcing agency or a contracted service provider is liable for an interference with privacy. Liability for the acts or practices of a contractor will depend on the facts of the case, including the terms of the contract. In the ALRC’s view, the Privacy Act ensures that contracting out of government services does not result in a loss of accountability for the handling of personal information. As outlined above, the Privacy Act provides that organisations (including small businesses) that are government contractors are regulated under the Act, and that an outsourcing agency is required to take contractual measures to ensure that a government contractor complies with the privacy principles. Further, where the actions of a contractor results in an interference with privacy, individuals may make a complaint to the Privacy Commissioner.

National consistency issues

14.124 The privacy regimes in some states and territories include privacy principles that are similar to the IPPs, while other jurisdictions have modelled their principles on the NPPs. Although the privacy principles in the various state and territory regimes often resemble the IPPs and NPPs, they are not identical.

14.125 The OPC Review was told that contracted service providers can be required to comply with three sets of privacy principles—the NPPs which apply to them in their capacity as private sector organisations, the IPPs which apply to them under contracts granted in accordance with s 95B of the Privacy Act, and any applicable state or territory privacy laws.[154] This may be an issue particularly for organisations that provide contracted services involving personal information to federal, state or territory agencies.

14.126 Telstra advised the OPC Review that the proliferation of state legislation and inconsistency between state and federal legislation can add costs to conducting business with government agencies.[155] The OPC recommended that the Australian Government consider reviewing the IPPs and the NPPs with a view to developing a single set of principles that would apply to both Australian Government agencies and private sector organisations. In its view, this would address the issues surrounding government contractors.[156]

14.127 National consistency issues were raised in a number of submissions to this Inquiry.[157] A number of stakeholders submitted that the development of a single set of principles that applied at the federal, state and territory level would deal with national consistency issues.[158] For example, Telstra noted that contractors to state governments are not bound by privacy rules in some states, and submitted that such issues could be resolved through the introduction of a single set of privacy principles across all Australian jurisdictions.[159]

14.128 The adoption of the UPPs, any relevant regulations that modify the application of the UPPs and relevant definitions used in the Privacy Act at the federal, state and territory level will deal with many of the national consistency issues that affect contracted government service providers.

Contractor provisions under state and territory privacy regimes

14.129 Some state and territory privacy regimes require organisations that provide contracted services to a state or territory government agency to be bound by the relevant state privacy principles for the purposes of the contract.[160] Other state regimes provide that compliance with the state privacy regime is subject to any outsourcing arrangements,[161] or are silent on this issue.[162]

Submissions and consultations

14.130 The OPC submitted that it has ongoing concerns that state or territory government contractors, that are otherwise organisations, may not be bound by the Privacy Act or equivalent standards when performing functions under state or territory contracts. The OPC noted that the absence of consistent regulation for state contractors and the possible imposition of different obligations can create gaps in privacy protection and confusion about which body should regulate the privacy practices of state contractors.

For example, in one instance, the Office had to decline to investigate a worker’s compensation matter because it involved a state contractor, but no state privacy regime existed to deal with the matter. In other cases, both the Office and state privacy bodies have declined to investigate the practices of a state contractor.[163]

14.131 The OPC submitted that state and territory contractors should be covered by the Privacy Act, or equivalent legislation. The OPC noted that this could be achieved by all states and territories enacting privacy legislation which imposes obligations on their agencies and contractors that are at least equivalent to the Privacy Act. The OPC submitted in the alternative that the Privacy Act could be amended to ensure that the NPPs apply to state contractors where no equivalent state or territory privacy laws exist.[164]

14.132 The OVPC submitted that the current provisions for ‘government contracts’ and ‘contracted service providers’ in the Privacy Act do not align completely with provisions for ‘state contracts’ and ‘contracted service providers’ in the Information Privacy Act. The OVPC submitted that there are several issues that arise when contractors provide services to federal and state agencies, or operate in more than one jurisdiction. For example:

  • cross-border data flow issues may arise where an organisation contracts with a recipient who is subject to a dissimilar privacy regime, or to no privacy regime at all;

  • additional complexities arise in some cases, where organisations operating in more than one state or territory are bound by privacy schemes that pre-dated and may, in some cases, conflict or override Victorian privacy law;

  • there is uncertainty about the employee records exemption continuing to apply where a state contract applies; and

  • there have been problems in working out what a ‘state contract’ is, and whether the services are of a public kind. If an organisation falls under the exemption in the Privacy Act and is not picked up by the state Act (or the state has no privacy law in place), then the agency falls through the gap and its clients’ information is not protected under any privacy law.[165]

14.133 The OVPC also submitted that the Privacy Act should be amended to recognise that state privacy laws may apply to contracted service providers seeking to be covered by a code under the Privacy Act, and to import a requirement to consult with and seek the approval of the states before any code covering state contracts is approved.[166]

ALRC’s view

14.134 The Explanatory Memorandum to the Privacy Amendment (Private Sector) Bill 2000 (Cth) states that it was the intention of the Australian Parliament that the acts and practices of state and territory contractors would ‘not be covered by the Commonwealth’s privacy scheme but rather the State or Territory’s own privacy standards’.[167]

14.135 Organisations that contract with a state government should be regulated by privacy legislation. The ALRC considered recommending that the Privacy Act be amended to include a ‘roll-back provision’ to cover state contractors. It is the ALRC’s view, however, that such a law would intrude too heavily on state and territory government business. Instead, the ALRC recommends that state and territory privacy legislation should include provisions relating to state and territory contractors.[168] This is discussed in Chapter 3.

14.136 In the ALRC’s view, organisations would rarely seek to be covered by a code under the Privacy Act in relation to state contracts. The ALRC does not agree that the Privacy Act should be amended to include a requirement for the OPC to consult with and seek the approval of the states before any code is approved covering state contracts. This requirement will not be necessary if each state and territory introduces provisions to regulate government contractors in that jurisdiction. As discussed in Chapters 3 and 17, this issue could be addressed in a memorandum of understanding between the OPC and state and territory privacy regulators. This memorandum of understanding could also set out a process for developing and publishing joint guidance on government contracted service providers for agencies and organisations.

14.137 The ALRC notes that many of the issues identified by the OVPC in its submission are dealt with in other chapters of this Report. Issues related to cross-border data flows are dealt with in Chapter 31 and the employee records exemption is considered in Chapter 40.

[127] The Australian Government Solicitor has drafted a model clause to assist agencies in discharging their responsibilities under the Privacy Act 1988 (Cth): Australian Government Solicitor, Outsourcing: Agency Obligations Under the Privacy Act, Legal Briefing No 63 (2002), 7–8.

[128] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007.

[129] Australian Privacy Foundation, Submission PR 167, 2 February 2007.

[130] National Association for Information Destruction, Submission PR 133, 19 January 2007.

[131]Privacy Act 1988 (Cth) s 6(1).

[132] Ibid s 6D(4)(e).

[133] The Australian Government Solicitor has advised, however, that notwithstanding this exclusion, agencies need to be mindful of the obligation under IPP 4(b) to ensure that everything reasonable is done to prevent unauthorised use or disclosure of personal information when contracting with a state or territory authority: Australian Government Solicitor, Outsourcing: Agency Obligations Under the Privacy Act, Legal Briefing No 63 (2002), 4.

[134]Privacy Act 1988 (Cth) ss 6A(2), 6B(2). See also Australian Government Solicitor, Outsourcing: Agency Obligations Under the Privacy Act, Legal Briefing No 63 (2002), 5.

[135] Office of the Federal Privacy Commissioner, Privacy Obligations for Commonwealth Contracts, Information Sheet 14 (2001).

[136]Privacy Act 1988 (Cth) s 5B.

[137] Australian Government Solicitor, Outsourcing: Agency Obligations Under the Privacy Act, Legal Briefing No 63 (2002), 4.

[138] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007. See also Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007.

[139] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[140] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[141] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[142]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 11–1.

[143]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Taxation Office, Submission PR 515, 21 December 2007; Queensland Government, Submission PR 490, 19 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[144]Privacy NSW, Submission PR 468, 14 December 2007.

[145]Ibid.

[146]National Legal Aid, Submission PR 521, 21 December 2007.

[147] Although this was permitted during a phase-in period when the Information Privacy Act 2000 (Vic) first came into force, contractors are now expected to ensure their contractual provisions are in accordance with their legislative obligations under privacy legislation and any other relevant laws: Information Privacy Act 2000 (Vic) s 16(2) and (3).

[148]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[149]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[150]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[151] Public Private Partnerships are characterised by ‘a long-term, whole-of-life commitment by the contractor to deliver and maintain new or redeveloped infrastructure used by a government agency to deliver services to the public’: Australian Government Department of Finance and Administration, Public Private Partnerships: Contract Management (2006), 6.

[152] The section provides that if a person asks a party to a Commonwealth contract to be informed of the content of provisions (if any) of the contract that are inconsistent with an approved privacy code binding a party to the contract or with an NPP, the party requested must inform the person in writing of that content (if any).

[153] See Ch 39.

[154] Australian Government Department of Health and Ageing, Submission to the Office of the Privacy Commissioner Review of the Private Sector Provisions of the Privacy Act 1988, December 2004, 13.

[155] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 37.

[156] Ibid, 8 and rec 5. See Ch 18.

[157]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Law Council of Australia, Submission PR 177, 8 February 2007; CSIRO, Submission PR 176, 6 February 2007; NSW Commission for Children and Young People, Submission PR 120, 15 January 2007; DLA Phillips Fox, Submission PR 111, 15 January 2007.

[158] See, eg, Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007; Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Centre for Law and Genetics, Submission PR 127, 16 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[159] Telstra, Submission PR 185, 9 February 2007. See also Law Council of Australia, Submission PR 177, 8 February 2007; Queensland Council for Civil Liberties, Submission PR 150, 29 January 2007.

[160] See, eg, Information Privacy Act 2000 (Vic) s 17; Information Act 2002 (NT) s 149.

[161] Queensland Government, Information Standard 42—Information Privacy (2001), [1.1].

[162] See, eg, Privacy and Personal Information Protection Act 1998 (NSW); South Australian Government Department of Premier and Cabinet, PC012—Information Privacy Principles Instruction (1992).

[163] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.

[164] Ibid.

[165]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[166] Office of the Victorian Privacy Commissioner, Submission PR 217, 28 February 2007.

[167] Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 8.

[168] See Rec 3–4.