Privacy Law and Policy Reporter
This Advice, subtitled ''Advice for Commonwealth agencies considering contracting out (outsourcing) information technology and other functions', was prepared by the Privacy Advisory Committee (see (1994) 1 PLPR 140) and is issued by the Privacy Commissioner under s27 of the Privacy Act 1988 (Cth) (presumably as guidelines under s27(1)(e)). The Advice was developed by a working party comprising John Goddard (the then data processing representative) and Jim Humphreys from DSS, with input from the Australian Government Solicitor, other agencies and the ACTU.
Australian Government policy is to encourage outsourcing where appropriate as a means of introducing competition to the public sector. As the Advice explains,
The need for an Advice of this kind arises mainly from the fact that, while the Privacy Act covers the conduct of agents and employees of an agency, conduct arising from the provision of a service for the agency by a contractor is not. As a result, the Information Privacy Principles contained in the Privacy Act do not apply to a contractor and nor can the Privacy Commissioner directly investigate any breach of privacy by a contractor. This limitation of the Privacy Act is of great concern to the Committee.
The Advice summarises the current position under the Privacy Act as follows:
Agencies will be held publicly accountable for the way that their personal information is handled by contractors. The decision whether to outsource involves not only a consideration of cost-effectiveness but of accountability, privacy and control.
Outsourcing may lead to a reduction in privacy protection. In some cases, privacy considerations may lead an agency to decide against outsourcing. Agencies should pay attention to any proposal involving offshore processing as this may carry additional privacy risks.
The staffing practices of a contractor may have privacy consequences.
High staff turnover and the use of temporary staff by contractors may affect a contractor's ability to maintain privacy.
Individuals are unable to assert against a contractor any rights under the Privacy Act. Neither can an agency formally stand in a contractor's place for the purpose of an investigation or determination.
Where an agency still has control in relation to personal information no longer in its possession, or has failed to exercise control where it should have, then it would still be subject to the requirements of the IPPs in relation to that information and the individual may be able to assert his or her rights under the Privacy Act against the agency.
IPP 4 requires agencies to protect personal information against misuse by reasonable security safeguards if outsourcing. A key means of compliance with IPP 4 is the inclusion of clauses protecting privacy in outsourcing contracts.
Where a contractor is responsible for an interference with the privacy of an individual, the agency may agree to pay a reasonable amount as compensation to the individual as if that breach had been that of the agency, and recover that amount from the contractor.
In investigating an agency, the Privacy Commissioner has the power to obtain any relevant information from the contractor, and to question the contractor or its employees on any matters relevant to the investigation.
The Advice includes recommended clauses for general use in IT outsourcing contracts between agencies and contractors (see following table), suggested clauses for special situations, and a draft deed for contractors' employees (see following table). Explanations are given of each. The purpose of the recommended clauses is to impose on a contractor many of the obligations that an agency is subject to under the IPPs.
It is expected that these clauses will be used by the Office of Commercial Law within the Australian Government Solicitor. The Privacy Advisory Committee will also be seeking their inclusion in all relevant ''common use' contracts developed by the Department of Administrative Services and in the Government Information Technology Conditions (GITC).
The recommended clauses for general use in agency/contractor contracts incorporate a variety of strategies to overcome the limitation of the lack of direct enforceability of the Privacy Act against contractors. Potential criminal consequences under Commonwealth ''computer crime' laws and other criminal laws are stressed under cl 4 (and cl 3 of the employee's deed). Contractors agree (cl 3) to indemnify the Commonwealth for any liability arising from any breach of the contractor or sub-contractor's obligations under the outsourcing agreement, or any breach of confidence. This is defined to include an indemnity for reasonable amounts of compensation paid (in effect, ex gratia) by an agency for interferences with privacy by a contractor or sub-contractor which would have been breaches of the Privacy Act if done by the agency.
Recommended cl 2(iii), requiring contractors not to transfer personal information outside Australia without prior agency approval, comprises one of the first Australian restrictions on trans-border data flows.
The Advice also suggests that agencies should make contractors aware of being named in reports by the Privacy Commissioner; should ensure adequate data security at the end of the contract; and should provide adequate access to contractor premises etc to allow monitoring of contractor compliance with privacy provisions.
Clauses are recommended for some special situations: data quality obligations where the contractor provides medium to long-term storage; an obligation to inform agencies of requests for access or amendment (or, in some cases, to carry this out); and controls on contractors that collect data.
These recommended clauses should prove to be of great value in bringing certainty and consistency to attempts to protect privacy in outsourcing arrangements. This will be of increasing importance in light of recent changes to agencies such as the Commonwealth Employment Service.
If adopted widely, these recommended clauses will significantly strengthen the Privacy Act against the potentially detrimental effects of outsourcing. However, in the absence of any amendments to the Act giving individuals the right to enforce the IPPs directly against any contractors, outsourcing may still result in individual rights to seek compensation or other remedies under the Privacy Act being replaced with reliance on an ex-gratia payment from an agency, at least where the agency has shown proper diligence in supervising its contractors and so has not itself breached IPP 4.
The potential of Pt VIII of the Act to give individuals a direct remedy against contractors is worth consideration. The contractor's obligations of limited use and non-disclosure (recommended cl 2) would constitute a duty of confidence owed to the agency. s93(3) appears to give ''the person to whom the information relates' (the individual) ''the same rights against the confidant' (the contractor) ''as the confider' (the agency). These rights include a right to recover damages for breach of confidence (s93(1)), and a right to sue third parties. Unfortunately, Pt VIII only applies to obligations of confidence owed by agencies, not obligations of confidence owed to agencies(s89(a)).
Therefore, to achieve the same result, the individual will have to argue that the agency owes him or her a statutory obligation of confidence concerning personal data because of IPPs 10 and 11, and that the contractor (or subcontractor) is a third party who is also bound by this duty owed by the agency and in breach of it. The provisions of Pt VIII would then apply, but the effect is only the same as the result which would probably be reached in equity under the law of breach of confidence. However, the result is that individuals may well have a right to sue contractors directly for damages
''personal information' means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
The contractor shall take all reasonable measures to ensure that personal information held in connection with this agreement is protected against loss, and against unauthorised access, use, modification, disclosure or other misuse in accordance with the procedures set out in Schedule [ ], and that only authorised personnel have access to the personal information.
The contractor shall not vary the security procedures set out in Schedule [ ] without the prior written approval of the agency.
The contractor agrees, in respect of personal information held in connection with this agreement:
(i) to use personal information only for the purposes of fulfilling its obligations under this agreement;
(ii)not to disclose personal information without the written authority of the agency except for the purpose of fulfilling its obligations under this agreement. The contractor shall immediately notify the agency where it becomes aware that a disclosure of personal information may be required by law;
(iii) not to transfer personal information outside Australia, or allow parties outside Australia to have access to it, without the prior approval of the agency;
(iv)to ensure that an employee of the contractor or of any subcontractor requiring access to any personal information makes an undertaking in writing (in accordance with Schedule [ ]) not to access, use, disclose or retain personal information except in performing their duties of employment and is informed that failure to comply with this undertaking may be a criminal offence and may also lead the contractor to take disciplinary action against the employee; and
(v) to immediately notify the agency where the contractor becomes aware of a breach of cl 1 and 2(i)-(iv) by itself or any subcontractor; and
(vi)to co-operate with any reasonable requests or directions of [the agency's delegate] arising directly from, or in connection with the exercise of the functions of the Privacy Commissioner under the Privacy Act 1988 or otherwise including but not limited to the issuing of any guideline concerning the handling of personal information.
(i) The contractor agrees to indemnify the Commonwealth in respect of any liability, loss or expense incurred arising out of or in connection with a breach of the obligations of the contractor under clauses [1 and 2] of this Agreement or for a breach of an obligation of confidence whether arising under the Privacy Act 1988 or otherwise.
(ii) For the purposes of 3(i) ''liability' includes any liability assumed by the agency on behalf of the Commonwealth to pay a person a reasonable amount as compensation for loss or damage suffered by that person as a result of any breach of cls 1 and 2 by the contractor for which the Commonwealth would have been liable under the Privacy Act 1988 if such breach had been that of the agency.
The contractor acknowledges in respect of personal information held in connection with this agreement that:
(i) any unauthorised and intentional access, destruction, alteration, addition or impediment to access or usefulness of personal information stored in any computer in the course of performing, a contract with the Commonwealth is an offence under Pt VIA of the Crimes Act 1914 for which there are a range of penalties, including a maximum of ten years' imprisonment; and
(ii) the publication or communication of any fact or document by a person which has come to their knowledge or into their possession or custody by virtue of the performance of this agreement (other than to a person to whom the contractor is authorised to publish or disclose the fact or document) may bean offence under s70 of the Crimes Act 1914, the penalty for which there is a maximum of two years imprisonment.
A complaint alleging an interference with the privacy of an individual shall be handled by the agency in accordance with the following procedures:
(i) where the agency receives a complaint alleging an interference with the privacy of an individual by the contractor, it shall immediately notify the contractor of only those details of the complaint necessary to minimise any breach or prevent further breaches of the above clauses;
(ii)where the contractor receives a complaint alleging an interference with the privacy of an individual by the contractor, it shall immediately notify the agency of the nature of the complaint but shall only release to the agency personal information concerning the complainant with that person's consent;
(iii) after the agency has given or been given notice in accordance with (i) or (ii), it shall keep the contractor informed of all progress with the complaint as it relates to the actions of the contractor in connection with the allegation of an interference with the privacy of an individual; and
(iv)the agency shall give the contractor 14 days' written notice of an intention to assume a liability, loss or expense in accordance with cl 3 including in that notice an explanation of how that liability loss or expense was assessed and the contractor's proposed share of that liability.
Clauses 1 to 6 shall continue to have effect after the termination
or expiration of the Agreement
This Deed is made on: / /
A. The employee is an employee of [name of the Contractor] (''the employer').
B. The employer has entered into an Agreement with [name of agency or Commonwealth where appropriate] (''the agency') for the [state nature of service].
C. In the course of employment with the employer the employee may have access to the agency's personal information of the agency held in connection with this Agreement.
D. ''Personal information' collected and recorded by a Commonwealth agency is subject to the Information Privacy Principles contained in the Privacy Act 1988.
E. The employer has undertaken that in the performance of the agreement with the agency it will comply with the applicable Information Privacy Principles and has made other undertakings in relation to personal information.
F. The employer has also agreed to obtain from its employees an undertaking to observe the clauses relating to the protection of personal information contained in that contract and to inform the employee that failure to comply with such an undertaking may be a criminal offence and may also lead the employer to take disciplinary action against the employee.
The employee acknowledges that personal information is for the purposes of the Privacy Act 1988 and this Deed:
''information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about a natural person whose identity is apparent, or can reasonably be ascertained, from the information or opinion.'
The employee undertakes:
(a) not to access, use, modify, disclose or retain any personal information of the agency he or she has acquired through the performance of his or her duties of employment with the employer, except for the purpose of fulfilling those duties of employment; and
(b) in addition to any direction as to particular measures specified by the employer, take all reasonable measures to ensure that any personal information held in connection with the agreement is protected against loss, unauthorised access, use, modification or disclosure and against other misuse.
The employee acknowledges that:
(a) any unauthorised and intentional access, destruction, alteration, addition or impediment to access or usefulness of personal information stored in any computer in the course of performing, a contract with the Commonwealth is an offence under Pt VIA of the Crimes Act 1914 which may attract a substantial penalty, including imprisonment; and
(b) the publication or communication by the employer or an employee of the employer of any fact or document which has come to their knowledge or into their possession or custody by virtue of the performance of this agreement (other than to a person to whom the employer is authorised to publish or disclose the fact or document) may be an offence under s70 of the Crimes Act1914, punishment for which may be a maximum of two (2) years imprisonment.
The employee acknowledges that failure to comply with this deed may lead to disciplinary action, including dismissal.
The undertakings made in this deed will survive both the termination or expiry of the agreement between the agency and the employer and the termination or expiry of the employee's employment with the employer.
The employee undertakes that in signing this deed:
(a) he or she understands the employers' responsibilities in relation to privacy;
(b) he or she will not access, use, disclose or retain personal information except in performing his or her duties of employment; and
(c) that he or she understands the possible consequences of a breach of this undertaking.
(Include any other clauses, such as the law governing the deed, and executed as a deed).
(1) s70 of the Crimes Act 1914 does not expressly apply to employees of contractors, but it is arguable that it also extends to employees (and subcontractors) of contractors who perform services on behalf of the Commonwealth. Employees of contractors should be made aware that the provisions of s70 may apply.
The relevant provisions of any other legislation which makes it an offence for the contractor and/or individual employees to disclose personal information should be included in this deed. For example, the Department of Social Security should include the effect of the confidentiality offences contained in the Social Security Act 1991