Increasingly agencies1 are engaging an external entity (contracted service provider) to perform some of their functions or activities.2 Where agencies enter into service arrangements that involve personal information, chapter 2, part 4 of the Information Privacy Act 2009 (Qld) (IP Act) may require the contracting agency to take all reasonable steps to bind the contracted service provider to comply with the privacy principles.3
This requirement does not limit the privacy protections that can be provided for in the service arrangement.4
What is a service arrangement?
The obligations in chapter 2, part 4 only apply to a service arrangement. A service arrangement does not need to be a formal contract; it can be any agreement that meets the following criteria:
An agency must take all reasonable steps to bind a contracted service provider to comply with the privacy principles if:
The Contracted service provider checklist in Appendix A will help agencies work out whether they need to take reasonable steps to bind a contracted service provider.
An agency is not required to bind a contracted service provider to comply with the privacy principles if all the following apply:
A contracted service provider that would normally be subject to the Privacy Act 1988 (Cth), will not be subject to that Act for anything it does in relation to a State Government contract.7 This will be the case whether or not it is made subject to the IP Act privacy principles.
Even if agencies are not required to bind the contractor to the privacy principles, IPP 4(1)(b) and NPP 4(1) require them to ensure personal information disclosed to third parties in connection with the provision of a service is protected from misuse, loss and unauthorised access, modification or disclosure.
Once bound, the contracted service provider assumes the privacy obligations8 as if it were the agency. In the event of a breach, any privacy complaint would be made against the contracted service provider.9
If the contracting agency should have taken all reasonable steps to bind the contractor and didn’t, the contracting agency will be liable for any privacy breaches of the contracted service provider.10 However, the agency will not be liable if, despite taking all reasonable steps, it was not able to bind the contractor.
In addition to binding contracted service providers where required by chapter 2, part 4 of the IP Act, agencies must also meet their obligations under the other privacy principles11.
The privacy principles create rules for both the use and disclosure of personal information.12 When engaging an external contractor, an agency will need to consider—
—to work out whether giving personal information to the contractor will be a use or a disclosure.
Generally, if an agency uses personal information to seek advice about, or engage a contractor to deal with, a matter involving an individual, it will be directly related to why their personal information was originally collected. Use for a directly related purpose is permitted by the privacy principles.13
If the agency is engaging the contractor to do something on the agency's behalf, and the agency will maintain control of the personal information it provides, then it will be a use14 of personal information.
The agency enters into an agreement with SuperQuik Collections to recover a debt from Bob and they give SuperQuik a copy of the relevant information about Bob's debt. The agency's agreement with SuperQuik states that SuperQuik will only use Bob's information to recover the debt, will ensure it's stored and handled securely, and will return all of Bob's information at the end of the agreement.
If the agency will not retain control of the personal information it gives to the contractor it will generally be a disclosure15of personal information, which may breach the privacy principles.16
If an agency approves, and the personal information is protected, the contractor giving personal information to another party outside the agency can also be a use.
In some circumstances, the contracting agency may intend to retain and continue using copies of personal information given to the contracted service provider17. Under IPP 10 and NPP 2, an agency must not use personal information for a purpose other than that for which it was obtained, unless a permitted exemption applies.
If the function for which the personal information was obtained is now being undertaken solely by the contracted service provider, any use of the personal information by the contracting agency will constitute a secondary use and will need to be permitted under one or more of the exceptions in IPP 10 or NPP 2.18
While not required by the IP Act, assessing a service provider’s capacity for privacy compliance prior to engagement can help determine if they have the ability and resources to meet the IP Act's privacy obligations.
One approach is to check whether the contractor has been assessed and accredited against an industry quality assurance framework that includes an appropriate privacy standard.19
Another approach is to include information about the privacy principle compliance requirement in material inviting offers. This ensures potential service providers are aware of the privacy obligations which attach to the contract. Agencies may also wish to specify demonstrated capability to comply with the privacy principles as one of the evaluation criteria in the invitation documentation.
Conducting a Privacy Impact Assessment (PIA) will provide a clear understanding of how personal information will flow in the outsourcing arrangement. This will help inform what provisions should be included in the service arrangement. For further information on conducting a PIA, please refer to Conducting a Privacy Impact Assessment.
A Deed of Privacy can be used to protect privacy in outsourcing arrangements. A template with sample clauses that agencies can adapt or build on to suit their specific circumstances when drafting service arrangements is available here: Deed of Privacy.
The template is intended to serve as a starting point to address areas such as storage, use, and disclosure of personal information and data breach notification. It does not cover all privacy considerations that may arise when drafting a service arrangement.
The Queensland Government Service Agreement - Standard Terms for Social Services provides another example of how privacy consideration can be addressed in a service arrangement.
Agencies could consider requiring the contractor’s employees to sign a Deed of Confidentiality, addressing, for example:
The obligations in chapter 2, part 4 only allow for contractors to be bound to comply with the privacy principles, not subcontractors. If an individual's privacy is breached by a subcontractor, they cannot make a privacy complaint under the IP Act21 against the subcontractor.
Agencies should consider imposing contractual obligations on the bound contracted service provider such as:
Alternatively, the agency could consider:
The privacy principles provide a number of exemptions that allow the use and disclosure of personal information for purposes other than that for which it was collected. These exceptions also apply to bound contracted service providers. For example, a contracted service provider may be able to use personal information for a purpose not related to the service arrangement if they obtain the agreement of the individual whom the personal information is about.24
The contracting agency may wish to include a provision setting out that, if a bound contracted service provider relies or intends to rely on any of the exceptions in IPPs 10 and 11 or NPP 2, it must notify the agency first.
A bound contracted service provider is subject to section 33 of the IP Act, which sets out when personal information can be transferred outside Australia.25 To ensure that there is no breach of this provision, the service arrangement could further limit or specifically outline in which circumstances personal information can be transferred outside of Australia.
If an individual believes a bound contracted service provider26 has not complied with the privacy principles in relation to their personal information, they can make a privacy complaint.27 It is recommended that the service arrangement specify who will be responsible for handling privacy complaints and how privacy complaints will be managed.28
Although the IP Act does not impose any mandatory data breach notification requirements, prompt notification will allow the agency to minimise the negative impacts resulting from the breach.
Agencies should consider including a provision in the service arrangement that specifies when and how the bound contracted service provider is required to notify the agency of a data breach.29
Examples of potential data breaches include:
If the breach is systemic and rectification is not possible, the agency may consider whether this would provide grounds to terminate the service arrangement.
The IP Act provides individuals with the right to access and amend their personal information. These rights are primarily set out in chapter 3 of the IP Act.
Despite being bound to comply with the privacy principles, bound contracted service providers are not an agency and therefore chapter 3 does not apply to them. Documents in their possession, however, may be subject to that right if the agency retains control30 of them.
It is important that the service arrangement sets out which documents and information the agency owns/controls.31 It should also set out that these documents must be provided to the agency upon request.
The service arrangement may permit a performance review of the contracted service provider’s compliance with the privacy obligations in the IP Act.
Performance monitoring could include:
The contracted service provider’s privacy performance and the adequacy of current privacy provisions should be reviewed before extending or renewing a service arrangement.
The service arrangement should cover what happens to personal information held by the contractor as part of the service arrangement after it ends. If it is not being destroyed or completely returned to the agency, the service arrangement should include provisions that require the bound contracted service provider to continue to comply with the privacy principles in relation to the personal information it retains.
When bringing a service arrangement to an end, the contracting agency should ensure that personal information held by the contracted service provider is dealt with as required by the service arrangement. The contracting agency should perform an audit or seek a report from the contracted service provider to confirm all personal information has been securely returned, or disposed of, and is accounted for.
This approach may reduce the risk of personal information being abandoned and then improperly accessed (for example, where data is recovered from a laptop or computer sold at public auction).
Records generated or received by the contracted service provider while delivering the function or service under the service arrangement will usually be public records32 and are the responsibility of the contracting agency.33 The requirement to retain public records until the expiration of the relevant retention period should be factored in when drafting provisions for the managing records at the completion of the service arrangement.
For example, provisions in the service arrangement may include arrangements for returning documents to the contracting agency (including the format of electronic and other technology-dependent documents), the method by which documents are to be destroyed (where appropriate, under a Retention and Disposal Schedule approved by the State Archivist), and agreed timeframes.
Current as at: September 20, 2019