How privacy principles affect contracted service providers
It is not uncommon for agencies to enter into an agreement with an external service provider to perform a service that falls within the agency’s functions. The service may be provided directly to the agency, such as ICT operations or internal audit, or may be provided to a third party on behalf of the agency, such as the provision of a community health service.
The Information Privacy Act 2009 (Qld) (IP Act) requires that an agency must take reasonable steps to bind contractors to the privacy principles if:
- they deal with personal information for the agency,
- personal information will travel from the contractor to the agency; or
- they are providing services to a third party for the agency.
If the agency does not take all reasonable steps to bind the service provider, the obligation to comply with the privacy principles in relation to that service remains with the contracting agency.
Accordingly, in the event of a breach by this contracted service provider, the privacy complaint would be made against the contracting agency.
Whether the service arrangements require an agency to bind the contracted service provider will depend on the services being provided and the nature of the arrangement.
The following are examples of differing arrangements between the ‘Department of Wizardry’ (an agency that delivers training services to magicians and fosters growth in the magical services sector through partnerships, programs and events) and different service providers.
|Scenario||Is the agency required to bind the contracted service provider?|
|The Department of Wizardry drafts a service level agreement with the Department of Magical Creatures (another Queensland Government agency) for management of its recordkeeping program.||
As all Queensland government agencies are already subject to privacy principles, chapter 2, part 4 will not apply.
|The Department of Wizardry engages ‘Disappearances R Us’ to provide bins for sensitive document destruction.||
The service provider will be dealing with personal information on behalf of the contracting agency and the agency should take reasonable steps to make the contracted service provider is subject to the relevant privacy principles.
|The Department of Wizardry provides funding to ‘Best-of-Breed Balloon Animals Inc’ to hold a series of events that will promote and build the reputation of magicians in Queensland.||
Under section 35(3) of the IP Act, an agency is not required to bind a contracted service provider to comply with the privacy principles where the contracted service provider:
If ‘Best-of-Breed Balloon Animals Inc’ are being engaged to coordinate the event and will collect the names of individuals who wish to attend for the Department of Wizardry, then yes, they should be required to comply with the privacy principles.
If ‘Best-of-Breed Balloon Animals Inc’ are being engaged to simply turn up and make a few balloon unicorns, then no, the agency is not required to bind the contracted service provider to comply with the privacy principles.
|The Department of Wizardry prepares a contract with ‘Houdini & Co’ to attend onsite and present a session on making paper-jams escape from the photocopier.||
Section 34 IP Act provides that the service in question has to be for the purpose of the performance of functions of the agency. That is, the contractor has to be performing functions that are connected with the functions that would otherwise be provided by the agency itself. As the Department of Wizardry is not in the business of fixing photocopiers, the agency is not required to bind the contracted service provider.
|The Department of Wizardry engages ‘The Abracadabra Factor’ to manage applications made to the department for a permit to practice magic.||
The service will be providing services to a third party on behalf of the contracting agency and may be using, collecting disclosing, and storing personal information. The IP Act requires that the contracting agency take all reasonable steps to ensure that the contracted service provider is contractually bound to comply with the privacy principles.
|The Department of Wizardry engages ‘White Rabbit Group’ (a company covered by the Commonwealth Privacy Act 1988) to run training sessions on how to do the three cups and ball magic trick.||
Although some service providers may be subject to the National Privacy Principles (NPPs) under the Privacy Act 1988 (Cth), if the service provider is carrying out obligations under a state contract it must comply with the IP Act (and the IPPs) rather than the NPPs under the Privacy Act 1988. Because the department in this instance will be passing on the names of wizards who will be attending training and White Rabbit Group will be passing the results of the training back to the department, they should be a bound contractor.
Simply stating in the contract or other arrangement that the bound contracted service provider is to comply with the relevant sections may not be sufficient to satisfy section 35 of the IP Act. For example, an agency should consider setting out how the bound contracted service provider is to comply, particularly with regards to the access and amendment privacy principles.
Agencies are encouraged to access the range of OIC guidelines that discuss contracted service providers for further advice on potential issues to consider and provisions that agencies may find useful when preparing service arrangements.