Privacy Law and Policy Reporter
Ever since the commencement of the Privacy Act in 1989, the Privacy Commissioner has been drawing attention to the loss of protection involved where Commonwealth agencies have contracted out (out-sourced) activities or functions to the private sector, state and territory governments or non-government organisations.
Whatever conditions and requirements are placed in contracts, the fact that contractors have not themselves been generally subject to the Privacy Act means that individuals’ rights of redress in the event of breaches of privacy have been limited. The Privacy Commissioner repeatedly drew attention to this gap over a number of years, and called for it to be addressed, preferably by amendment of the Privacy Act.
Pending a more satisfactory solution, the Commissioner has urged agencies considering outsourcing to include appropriate terms and conditions in the contracts, and has issued Guidelines to this effect, through the Privacy Advisory Committee.
The Commissioner has also warned that it may not be appropriate to contract out the handling of particularly sensitive personal information. Other issues come into play in this wider debate. While most people would find it unacceptable to privatise defence or national security, most other functions now seem to be considered at least eligible for contracting — even policing and prisons. But public perceptions of risk and propriety, and issues of accountability, are at least as important in this debate as rational calculations of whether public servants are any more or less ‘trustworthy’ and responsible.
Relying on contracts alone is unsatisfactory for a number of reasons. The Privacy Commissioner has no direct jurisdiction over the contractor in order to audit compliance or investigate complaints, and cannot make a determination requiring the contractor to remedy a breach of the principles or, if appropriate, pay compensation. Attempts to enforce compliance and achieve remedies through enforcement of contractual terms would be unwieldy and impractical — realistically a client agency is not going to incur the expense of breach of contract litigation, or terminate a contract, because of some relatively minor privacy breach, or even repeated breaches. Reliance on contractual safeguards is simply too blunt an instrument for dealing with the commonplace interferences with privacy, such as unauthorised or inappropriate disclosure of personal information, identity mistakes, loss of data or failure to adequately inform individuals about purposes.
There are three solutions to the outsourcing ‘gap’.
During the first half of 1997, the federal government was preparing a major initiative to contract out most of the data-processing and other Information Technology (IT) functions of the Commonwealth. Although consideration had been given to the privacy implications, the announcement of the initiative in May 1997 did not deal with the issue of an extension of the Privacy Act. It was only following an outcry from privacy groups and the public service union that the Minister for Finance confirmed that it was the government’s intention to extend the Act. It took several more months for the government to confirm that this decision applied to all contracting out — not just in the IT area.
The amending legislation proved more complex and difficult to draft than was originally anticipated. The Privacy Amendment Bill 1998 was finally introduced into the House of Representatives on 5 March. While there has not yet been time to analyse the proposed changes in detail, there are a number of immediate points of interest.
Caught between its commitment to ensure protection wherever data handling was contracted out, and its rejection of general private sector privacy law, the government faced a difficult dilemma: how to draft an extension which would cover the main categories of contractors carrying out functions previously undertaken by agencies themselves, without inadvertently subjecting a whole range of service providers funded directly or indirectly by the Commonwealth (including all GPs, and various non-government organisations (NGOs)) to the privacy regime. The government’s solution has been to introduce an all-encompassing definition of ‘contracted service providers’ which picks up sub-contractors (and any other persons acting on behalf of the contractor); services to third parties (not just to client agencies themselves); and also non-contractual relations between government agencies which are equivalent to a contracted service. But the Bill then excludes specified ‘funded services’. This approach is likely to be fairly controversial — particularly the selection of funded services to be excluded (Sched 3), and the provision for amending this list by regulation.
The Bill also makes it clear (Item 9) that the Privacy Act only applies to contractors when, and to the extent that, they are providing services to the Commonwealth.
The Bill adopts a ‘belt and braces’ approach to privacy protection where services are contracted out, to ensure that individuals are not disadvantaged by any uncertainty about who is responsible. The contracting (client) agency is not relieved of responsibility for compliance with the IPPs, but continues to share that responsibility. For instance, the client agency remains responsible for ensuring that any collection of personal information on its behalf is in accordance with the IPPs (Item 21). Various provisions ensure that the client agency is notified about complaints or other alleged breaches of the principles by a contractor, and remains involved in any resolution (Items 26-28, 32, 33, 36).
Another ‘safety net’ provision ensures that the Privacy Commissioner can allow a complainant to amend a complaint to ensure that the appropriate party is named (Item 29). This deals with the problem that it may not become obvious until well into a complaint investigation exactly which party — client agency or contractor — is responsible. The Commissioner’s powers are amended to facilitate enquiries and investigations in this respect (Item 31).
The Bill deals expressly with situations where a contractor ceases to exist, becomes insolvent, etc, by allowing the Privacy Commissioner, in the event of a complaint, to substitute the outsourcing agency for the contractor (Items 34-36). It also provides for the agency to be liable if the contractor breaches a general prohibition on overseas processing (see below) (Item 20).
Reflecting the High Court’s decision in the Brandy case, the enforcement mechanisms under the Act vary depending on whether the respondent is a Commonwealth agency or a private sector organisation. Item 37 makes it clear that it is the private sector mechanisms which apply to any determinations in respect of contractors ie; enforcement could only follow a de-novo hearing by the Federal Court. While this is unsatisfactory, it is unavoidable given the High Court’s view of the limitations on the jurisdiction of administrative tribunals.
Because the Privacy Act currently applies to the ACT government, it has been necessary to include a special provision to ensure that the government’s policy does not extend to the ACT government. It is presumably left to the ACT government to adopt the same policy either through Territory legislation or by requesting the Commonwealth to make further amendments to the Privacy Act.
The Bill deals expressly with an issue which has caused some difficulty under the current Act, in defining transfer of personal information between an outsourcing agency and a contractor as a ‘use’ subject to IPP 10, rather than as a ‘disclosure’ subject to IPP 11. The second reading speech suggests that one consequence of this provision is that contractors will not be able to mix information held under a Commonwealth contract with other information they hold, for other purposes. Given the range of exceptions to IPP 10, the law itself may not guarantee this, but hopefully a combination of the amendments and contractual provisions will do so.
The government has decided that it is not appropriate for personal information to be processed overseas and will be making it a requirement of contracts under its IT infrastructure initiative that services be provided within Australia. However, as another ‘safety net’, the second reading speech states that the Bill deems anything done outside Australia by a contracted service provider to have been done in Australia. There is also a further safeguard referred to above (Item 20) which makes the client agency, or if appropriate a contractor within Australia, liable for any failure by another contractor to comply with the IPPs offshore. It is implicit, but not expressly stated, that other non-IT contracts involving the handling of personal information will prohibit offshore processing.
The approach to the openness principles (IPPs 5, 6 and 7) is of particular interest. Item 24 of the Bill excuses a contractor from complying with IPP 5, including the reporting requirements for the Personal Information Digest, if the client agency discharges these obligations. This seems a sensible way of avoiding an potentially onerous administrative burden without any loss of ‘transparency’.
The proposed arrangements for access and correction do not appear so satisfactory. This was always going to be a difficult issue to deal with given that the administrative mechanisms for handling access and correction, to comply with IPPs 6 and 7, have always been contained in the Freedom of Information Act 1982 (Cth) (FOI Act). The relationship between the two Acts in relation to personal information was the subject of analysis and recommendations by the Australian Law Reform Commission and the Administrative Review Council in 1996. There has yet to be a government response to the ALRC/ARC report, but the outsourcing issue has forced a partial and hopefully interim response.
The FOI Act is to be amended (by a future Bill), to ensure that individuals can obtain access to, and where appropriate correct, information about themselves held by contractors pursuant to a service provided to the Commonwealth. But this is apparently to be effected by deeming documents containing such information to be in the possession of the client agency. It is apparently envisaged that an agency will then be able to include provisions in the contract to give practical effect to the access and correction rights.
The problem with this approach is the same as in relying on contractual provisions alone — if a contractor does not comply with the letter or spirit of FOI Act provisions, redress for an individual will have to rely on the client agency attempting to enforce the contract, or seeking to take actual possession of the personal information in question so as to comply itself with the individual’s request. This is very much a second best to the contractor being separately liable to comply with the access and correction principles, which could best be achieved by transferring the personal information aspects of the FOI Act into the Privacy Act, and making them subject to the jurisdiction of the Privacy Commissioner.
The final point of interest I have so far identified is the government’s assertion that ‘there is no significant financial impact on government as a consequence of applying the Privacy Act to contracted service providers’. This assertion disguises the fact that there has apparently been no provision of additional resources for the Privacy Commissioner. Given that there will be an immediate addition to the Commissioner’s jurisdiction of a large number (thousands?) of contractors providing a wide variety of services, with thousands more as and when additional services and functions are outsourced, the government’s commitment to effective implementation of the amendments must be in doubt.
While it is true that some of the contractors will have already been required by contract terms to comply with some of the IPPs, it is very disappointing that no resources appear to have been earmarked for education, complaint investigation or auditing of the many contractors that should be seriously facing up to compliance for the first time. The new jurisdiction will place additional strains on the Commissioner’s already depleted staff, following the major cutbacks in the 1997 federal Budget. Although the government has announced that the Privacy Commissioner is to be statutorily separated from the Human Rights and Equal Opportunity Commission, and established as a separate Office (see (1997) 4 PLPR 80), it is not yet clear if this will be accompanied by any increase in or even restoration of previous resource levels.
It remains to be seen what approach the opposition parties take to the Privacy Amendment Bill when it reaches the Senate. There will clearly be a temptation to use the legislation as an opportunity to renew the call for a general extension of the Act to the private sector. While this needs to be done, and the inadequacy of the government’s current policy should be exposed, it would be a shame if the politics of the wider issue held up the extension of the Act to ensure that there is no loss of privacy protection where functions are contracted out. With the growing pace of outsourcing, the need is more pressing than ever.
Nigel Waters, Associate Editor.
This is a revised version of a paper first presented to a Records Management Association seminar in Canberra on 11 March 1998.
 Employment Services (Consequential Amendments) Act 1994 (Cth).
 Hearing Services and Australian Government Health Service (AGHS) Reform Act 1997 (Cth).
 By virtue of Sched 3 to the Australian Capital Territory Government Service (Consequential Amendments) Act 1994 (Cth).
 ALRC/ARC, Open Government, A review of the Freedom of Information Act 1982, January 1996.
 Attorney-General, Second Reading Speech, House of Representatives Hansard, 5 March 1998, p 387.