Binding contractors to the IP Act

Overview

Queensland government agencies¹ are required to comply with the Information Privacy Act 2009 (Qld) (IP Act) when dealing with personal information. The IP Act also requires agencies take reasonable steps to bind some contractors to comply with parts of the IP Act

Chapter 2, part 3 of the IP Act

Under chapter 2, part 3 of the IP Act, an agency must take all reasonable steps to bind a contracted service provider (contractor) if:

• the contracted service provider will deal² with personal information for the contracting agency, or
• the provision of services under the arrangement will involve personal information being transferred to the contracting agency or the contracted service provider will provide services to a third party on behalf of the contracting agency.

Chapter 2, part 3 only applies to service arrangements. A service arrangement does not need to be a formal contract; it can be any agreement:

• that is for the purpose of performing one or more of the contracting agency's functions
• that provides for a service to be provided directly to the contracting agency or to someone else on behalf of the contracting agency; and
• not made between the contracting agency and an employee or another agency.

An agency is not required to bind a contractor if all the following apply:

• the contracted service provider receives funding from the contracting agency
• the contracted service provider will not collect any personal information for the contracting agency
• the contracted service provider will not give any personal information it collects while performing the agreement to the agency; and
• the agency will not give any personal information to the contracted service provider.³

The checklist at Appendix A will help agencies decide whether a contractor needs to be bound under chapter 2, part 3 of the IP Act.

Entities subject to the Privacy Act 1988 (Cth)

A contracted service provider that would normally be subject to the Privacy Act 1988 (Cth), will not be subject to that Act for anything it does for a ‘State contract’, whether or not it is bound under chapter 2, part 3.⁴

What are contractors bound to

Contractors must be bound to comply with the Queensland Privacy Principles (QPPs), the overseas disclosure rules in section 33, and the requirement in section 41 to comply with a QPP Code.

Who is responsible for a breach of privacy?

Once bound, the contractor assumes the privacy obligations as if it were the agency. In the event of a breach, any privacy complaint would be made against the contracted service provider.

If the contracting agency should have taken reasonable steps to bind the contractor and didn’t, the contracting agency will be liable for any privacy breaches of the contracted service provider. The agency will not be liable if, despite taking all reasonable steps, it was not able to bind the contractor.

Additional privacy considerations

In addition to the obligations in chapter 2, part 3, agencies must meet their obligation to comply with the QPPs.

Use and disclosure

If the agency is engaging the contractor to do something on the agency's behalf and will maintain control of personal information, giving it to the contractor will generally be a use. If the agency will not retain control of the personal information, it will generally be a disclosure. For more information refer to Key privacy concepts – use and disclosure.

QPP 6 sets the rules for use and disclosure of personal information. The agency must ensure it complies with QPP 6 when giving personal information to a contractor. For more information refer to the Key privacy concepts – use and disclosure and the QPP 6 guidelines.

Once bound, QPP 6 applies to the contractor. The contracting agency could consider requiring contractors that intend to rely on QPP 6 to use or disclose personal information for something other than the contract to notify the agency.

Disclosure out of Australia

The contracting agency must ensure it complies with section 33 if giving personal information to the contractor involves disclosing it overseas. The agency may also want to limit when the contractor can disclose personal information outside of Australia.

Subcontractors

Subcontractors cannot be bound under chapter 2, part 3. If an individual's privacy is breached by a subcontractor, they cannot make a privacy complaint under the IP Act against the subcontractor.

Agencies should consider addressing subcontractors in the agreement, for example by:

• limiting or prohibiting use of subcontractors
• requiring that any subcontractor is contractually required to comply with the privacy principles or that they enter into a Deed of Privacy with the contractor.
• making the contractor liable for any privacy breaches by the subcontractor.

Privacy complaints

If an individual believes a bound contractor has breached their privacy, they can make a privacy complaint to the contractor. It is recommended that the service arrangement specify who will be responsible for handling privacy complaints and how privacy complaints will be managed.

Data breach notification

The IP Act's Mandatory Notification of Data Breach scheme and rules do not apply to contractors, however agencies should consider including a data breach notification requirement in the service arrangement, e.g. that the agency and/or affected individuals must be notified.

Depending on the circumstances, including the terms of any contract, an agency may have obligations under the MNDB scheme for data breaches involving documents in the possession of contracted service providers, if compromised information is contained in documents under the agency’s control.⁵

Refer to Mandatory notification of data breach and Contractors and data breaches for more information.

Access and amendment

Documents in the possession of contractors may remain in the agency's control Documents in an agency's control can be applied for under the Right to Information Act 2009 (Qld).

The service arrangement should set out which documents are controlled by the agency and that these documents must be provided to the agency upon request.

Privacy Impact Assessments

Privacy Impact Assessments (PIA) can provide a clear understanding of how personal information will flow in the service arrangement. Refer to Undertaking a Privacy Impact Assessment for more information.

Privacy performance review

A contractor's privacy performance should be reviewed before extending or renewing a service arrangement, but agencies may wish to include a requirement for a review of privacy performance during the contract. This could include:

• regular surveys, reports and/or audits on how the contracted service provider is meeting its privacy obligations; and
• reports on the number of privacy breaches and/or complaints received and on its response to these data breaches and/or handling of these complaints.

Early engagement with service providers

Assessing a service provider’s capacity for privacy compliance prior to engagement can help determine if they have the ability and resources to meet the IP Act's privacy obligations. This could include:

• checking if the contractor has been assessed and accredited against an industry quality assurance framework that includes an appropriate privacy standard.
• ensuring invitation documents include information about the required privacy compliance
• specify demonstrated privacy compliance as an evaluation criteria.

After the service arrangement ends

The service arrangement should cover what happens to personal information held by the contractor as part of the service arrangement after it ends.

If it is not being destroyed or completely returned to the agency, the service arrangement should include provisions that require the bound contracted service provider to continue to comply with the privacy principles in relation to the personal information it retains.

When bringing a service arrangement to an end, the contracting agency should ensure that personal information held by the contracted service provider is dealt with as required by the service arrangement. The contracting agency should perform an audit or seek a report from the contracted service provider to confirm all personal information has been securely returned, or disposed of, and is accounted for.

This approach may reduce the risk of personal information being abandoned and then improperly accessed (for example, where data is recovered from a laptop or computer sold at public auction).

Public Records

Records generated or received by the contractor while delivering the function or service under the service arrangement may be public records which are the responsibility of the contracting agency. This should also be addressed in the service arrangement, e.g. by requiring the delivery of documents to the contracting agency or specifying when and how documents can be destroyed.

Appendix A

Contracted Service Provider Checklist

This checklist will assist agencies to determine whether the contract or other arrangement falls into those circumstances.

If you answered no to both of these questions, the requirements of chapter 2, part 4 do not apply.

If you answered yes to either of these questions, continue to the next question.

If you answered no to this question, the requirements of chapter 2, part 4 do not apply.

If you answered yes, continue to the next question.

If you answered yes to this question, the requirements of chapter 2, part 4 do not apply.

If you answered no, continue to the next question.

If you answered no to all of these questions, the agency is not required to take all reasonable steps to bind the contracted service provider to the privacy principles.

If you answered yes to any of them, continue to the next question.

If you answered yes to any of these questions, the agency is required under section 35(1) of the IP Act to take all reasonable steps to bind the contracted service provider to the privacy principles.