Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Rawlings, Jane --- "Outsourcing under the amended Privacy Act 1988" [2001] PrivLawPRpr 17; (2001) 7(10) Privacy Law and Policy Reporter 200

Outsourcing under the amended Privacy Act 1988

Jane Rawlings

The advent of the Privacy Amendment (Private Sector) Act 2000 (Cth) will undoubtedly have an effect on both outsourcing customers and outsourcing service providers in Australia. The introduction of the National Privacy Principles (NPPs) into private sector outsourcing and the continued application of the Information Privacy Principles (IPPs) will undoubtedly have an effect on the drafting of traditional information technology (IT) outsourcing contracts for both public sector outsourcing and private sector outsourcing, although that effect will be greater for the outsourcing of business processes.

Privacy and outsourcing in the private sector

Before discussing the effect that the new NPPs will have on private sector outsourcing contracts after 21 December 2001, it is worthwhile stepping back slightly from the privacy legislation and defining what we mean by ‘outsourcing’ in the first place.

What is outsourcing?

From the information technology perspective, an outsourcing relationship simply involves contracting with outside consultants from software houses or service bureaus to provide systems analysis, programming and data centre operations.

It may be that the outsourcing service provider provides data processing services by using their own computer equipment (or by taking over the customer’s computer equipment). Alternatively, the service provider can send its staff onto the customer’s site to run the customer’s data processing operations, which is known as IT ‘facilities management’.

In each case the result is the same. A function which the customer’s staff previously performed inhouse (for example, providing data processing services to other employees of the customer or providing inhouse programming or systems analysis services) is now provided by an external service provider for a fee. The customer essentially pays for the service and the risks and costs of managing the provision of that service are transferred to the service provider. Examples in IT outsourcing are data processing contracts; application service provision (ASP) contracts, where an organisation makes software applications available on its computer equipment (including its web service), for use by smaller organisations on a fee per use basis; and outsourcing of internet related business functions such as hosting of web content and applications on a third party web server.

However, it would be a mistake to think of privacy issues in outsourcing as purely relating to service provision of IT functions including data processing. Entire business functions can be outsourced as well, particularly in the private sector. Examples of business function outsourcing include call centre agreements where the service provider provides a fully staffed call centre which may, for example, handle customer sales, enquiries or complaints or provide a help desk service on behalf of, and in the name of, the organisation which outsourced that business function to the call centre. A feature of call centre operation is that enquiries from the general public are answered (usually in a strictly scripted manner) in the name of the customer under the call centre contract. For example, a mobile phone company may outsource call centre handling of new sales enquiries. The call centre staff will answer the phone enquiries in the name of the mobile phone company in such a way that individuals have no idea that they are not actually talking to staff of the mobile phone company itself.

This type of business function outsourcing raises privacy questions in addition to those raised by the simpler IT outsourcing relationship. The service provider in a business function outsourcing contract collects, uses and discloses personal information to the organisation to which it provides the outsourced business service of the outsourced business function.

The current privacy position for outsourcing in the private sector

Currently, many private sector outsourcing companies, both in traditional IT outsourcing and in business function outsourcing, escape privacy regulation in Australia almost altogether, and will continue to do so until 21 December 2001 when the Privacy Amendment (Private Sector) Act 2000 comes into force. Privacy obligations may be imposed by contract, or may apply because the processing of personal information falls into a sectoral compliance regime. Thus privacy obligations apply to the following:

• those organisations who provide traditional IT sourcing services for outsourcing of public sector functions (to the extent that this is permitted by law) who have had the privacy requirements of the IPPs placed upon them by contract;
• those organisations providing either IT outsourcing services or business function outsourcing services to credit providers and credit reporting agencies, to the extent that the appropriate contractual obligations have been placed upon them by either credit providers or credit reporting agencies who make up their customer base;[1]
• outsourcing service providers of IT or business function services to organisations regulated by sectoral privacy regimes such as that found within the Telecommunications Act 1997 (Cth), to the extent that appropriate contractual obligations have been placed upon them or they have signed up to a relevant code of conduct; and those who provide either IT or business function outsourcing services for practices which are the subject of other State or Federal legislation (such as workplace surveillance, video surveillance and interception of communications); and
• those outsourcing service providers who have voluntarily complied with the benchmark standards for privacy standards set out in the National Principles for the Fair Handling of Personal Information developed by the Privacy Commissioner.[2]

However, the common feature of all of these is that an outsourcing service provider who would not fall within the regulatory ambit of the Privacy Act 1988 (because it is not a credit provider, credit reporting agency or public sector agency), voluntarily assumes privacy obligations in the collection, use and disclosure of personal information by way of contractual obligation, or by agreeing to be bound by a code of conduct.

The position after 21 December 2001

After 21 December 2001, the picture changes for outsourcing service providers. They will be bound by the NPPs with respect to their own collection, use or disclosure of personal information, to the extent that this does not fall under one of the exemptions to the amended Privacy Act 1988 (such as personnel reports or personal data which is used with a secondary purpose of direct marketing rather than the primary purpose of director marketing; NPP 2.1(c)). Apart from this, many will also be caught by the fact that they collect, use or disclose personal information for their customers under the terms of their outsourcing contracts. The outsourcing service provider may also be made contractually liable for any act or omission which causes the customer of the service provider to be in breach either of the Privacy Act 1988 or of any code of conduct to which that customer has agreed to be bound.[3]

The purpose of the 10 NPPs are to set out the information privacy principles that will apply to collection, use or disclosure of personal information in the private sector. The regulatory approach in the Privacy Amendment (Private Sector) Act 2000 is deliberately ‘light touch’ and has fostered the development of industry based codes of practice. Examples of these are the codes of conduct in the area of direct marketing such as the Internet Industries Association’s Code of Practice on Direct Marketing[4] and the Australian Direct Marketing Association’s Code of Practice on Direct Marketing[5]

Privacy clauses in private sector outsourcing contracts

Of course, the Privacy Commissioner is yet to issue guidelines and practical advice on the operation of the NPPs that currently exist for the IPPs, including those in the specific area of public sector outsourcing. Is it enough, then, for a private sector customer of an outsourcing service provider simply to require that the outsourcing service provider complies with the requirements of the Privacy Act 1988, including the NPPs, and leave it at that? In my view, it is almost certainly not enough.

A private sector customer of an IT outsourcing provider has two basic concerns:

• that personal information processed on behalf of the customer by the service provider is protected against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against unlawful forms of processing[6] — in other words, that the data is basically kept secure and its integrity is preserved; and
• that the service provider does not, by act or omission involve the customer in liability for any breach of the Privacy Act 1988 by the service provider or any relevant code of practice and of any sectoral legislation or legislation which regulates particular practices.[7]

A simple wishlist

In practice these concerns are likely to boil down to the following drafting ‘wishlist’.[8] The service provider clauses in outsourcing contracts should include:

• confidentiality undertakings (which are also imposed on employees of the outsourcing service provider) and access to personal information being confined to authorised personnel of the outsourcing service provider;
• accepting all privacy obligations under relevant legislation (such as the Privacy Act 1988 as amended), sectoral obligations (for example the Telecomm-unications Act 1997), relevant Codes of Conduct, and legislation dealing with certain practices such as the interception of personal commun-ications and workplace surveillance;
• an obligation to comply with the customer’s own privacy standards and the customer privacy policies when involved in information collection and management unless these are inconsistent with the service provider’s compliance with the previous point;[9]
• an indemnity for any liability arising out of the service provider’s breach of their privacy obligations;
• an obligation to permit the customer to audit (either directly or through its auditors) the information practices of the service provider relating to the processing of information as set out in the contract, with the service provider providing all reasonable assistance to the party conducting the audit;
• a mechanism for dealing with complaints and disputes about the outsourcing service provider’s processing of personal information (which may form part of the general enforcement provisions of the contract, or may be dealt with according to an approved code of practice or through the complaints procedures under the Privacy Act 1988);
• obligations on the service provider to inform the customer of any breaches or alleged breaches of security or of the privacy principles, guidelines or any Code of Practice with which the service provider has agreed to comply;
• acceptance of obligations equivalent to those of the customer to provide individuals with access to personal information, with rights to correct and an obligation to inform the customer of access requests received by the service provider;
• an undertaking to process personal information only in accordance with the customer’s instructions as set out in the service level agreement to the outsourcing contract;
• controls on subcontracting; and
• generally, a commitment that there shall be no transfer of personal information outside of Australia, unless subject to the requirements of the NPPs (especially NPP 9) and subject to the controls set out above on the recipient for the purposes of NPP9(f) if transfer is to be permitted.

Termination clause

The termination provisions should also impose obligations on the service provider with respect to:

• retaining personal information to the extent that a purpose for collection, use or disclosure remains under NPP 2; and
• destroying or permanently removing all identifying information from any remaining records of personal information if the outsourcing contract expires or is terminated.

In practice, exit plans in outsourcing contracts deal with the orderly migration of service to a new provider and include data transfer. There is inevitably a ‘hand over’ period when the outgoing and the incoming outsourcing service provider may be both handling personal information. The privacy obligations in the outsourcing service contract must survive any termination of the contract to cover the possibility that personal information has been retained, deliberately or inadvertently.

Withdrawal of consent

Similarly, if an individual withdraws consent for the use of their personal information the service provider must, subject to other obligations to retain some information as to the withdrawal of consent, return or destroy all personal information on that individual.[10]

Where a service provider is told or learns of an individual’s withdrawal of consent (which is likely in such business function contracts as call centre contracts), there should be a contractual obligation to advise the customer of that withdrawal of consent.

Applying the wishlist in practice

Privacy clauses and outsourcing service contracts should not be seen in isolation. In practice, the privacy practices of the outsourcing service provider and the 11 wishlist principles set out above are subsumed into the general obligation on the outsourcing service provider to provide the outsourced service as described in a service level agreement. The service level agreement specifies the standards of service and generally sets out either a scheme of liquidated damages or service creditors for breaches of those service levels, together with detailed reporting mechanisms and general change control mechanism to allow alteration to the service level agreement. Thus, for example, mechanisms for handling complaints and resolving disputes will form part of the wider enforcement mechanism of the outsourcing service contract itself.

In addition, a number of the concerns set out in the wishlist principles above are not unique to privacy compliance, such as those applying to subcontracting, security, access being confined to authorised personnel and so on. The privacy compliance regime set out in the wishlist principles needs to be integrated into the wider question of specifying the obligation to provide the outsource service, the standards of quality for that service and what happens when those quality standards are breached.

An approved privacy code under the Privacy Act 1998 may in itself contain a complaints resolution mechanism which has been approved by the Privacy Commissioner or which makes use of the complaints resolution process operated by the Privacy Commissioner (Pt V of the Privacy Act 1988 as amended).

Given that the outsourcing service provider arguably has its own obligation to comply with the NPPs, drafting of a suitable privacy clause according to the wishlist principles depend very much upon the nature of the outsourcing service provided under the contract. For example, in an ASP contract, privacy issues will revolve primarily around security issues, with any data quality issues largely confined to problems in data quality caused by interruption of service, failure of backups, disasters occurring in the outsourcing service provider’s computer room. The contract will also include basic provisions concerning subcontracting, access to approved personnel only and a general indemnity with respect to any liability under the Privacy Act 1988 as amended arising from the act or omission of the outsourcing service provider, its employees, agents or subcontractors broadly reflects the fact that in an ASP contract the outsource service provider’s role is to provide the IT data processing and telecommunications services required for the customer to perform various data processing functions including any collection, use or disclosure of personal information.

The privacy position is much more complex where a business function has been outsourced. In business function outsourcing contracts, such as call centre management contracts, the outsourcing service provider and the customer become ‘co-ordinate managers’ of the personal information processed on the outsourcing service provider’s computer systems. The outsourcing service provider will therefore assume joint, if not primary, responsibility for any or all of the collection, use or disclosure of personal information for the purposes of the NPPs.

Privacy in public sector outsourcing

In Outsourcing and privacy: advice for Commonwealth Agencies considering contracting out (outsourcing) infor-mation technology and other functions’ (1994), The Privacy Commissioner’s Privacy Advisory Committee sets out guidelines for the protection of privacy and personal information where the activities of Commonwealth agencies have been outsourced. In effect, where a Commonwealth agency outsources one or more of its functions, the privacy of individuals can be compromised simply because the outsourcing service provider is not bound by the IPPs and, until 21 December 2000, will not be bound by the NPPs, (unlike the agents or employees of an agency: s 8 Privacy Act 1988.)

Currently, neither the agency nor the outsourcing service provider is liable for a failure to comply with the IPPs which arises solely from an act or omission of the outsourcing service provider. However, the agency may be liable to individuals whose privacy may have been compromised by the act or omission of an outsourcing service provider. For example, where personal information has been disclosed by the outsourcing service provider as a result of a breach of security, the agency remains liable under IPP 4 (which deals with the storage and security of personal information). Under IPP 4, a recordkeeper who has actual possession or control of a record that contains personal information shall ensure that:

• the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
• if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the recordkeeper is done to prevent unauthorised use or disclosure of information contained in the record.

The agency’s liability under IPP 4 is therefore dependent on to what extent it has ‘control’ of a record being processed by an outsourcing service provider and, if it does, what steps it has to take to ensure the outsourcing service provider’s compliance with IPP 4(a). Where a sufficient degree of control exists, the agency will be liable under IPPs 4 through to 11 for the activities of the outsourcing service provider. If the contractual service provider is collecting, using or disclosing personal information, then IPP I3 is applicable as well. Similarly, there are questions of the standard of the duty imposed by IPP 4(b) to do everything within the power of the agency as recordkeeper to prevent unauthorised use or disclosure of the information contained in the record.

The fact that the IPPs do not extend to outsourcing service providers under public sector outsourcing contracts means that individuals whose privacy has been compromised by the acts or omissions of an outsourcing service provider have no rights against that outsourcing service provider until the private sector regime comes into effect. Private sector outsourcing service providers are currently largely outside the jurisdiction of the Privacy Commissioner, with the exception of the Privacy Commissioner’s power to obtain information from third parties in the course of its investigation of breaches of the Privacy Act 1988 by an agency.

Accordingly, the Privacy Advisory Committee recommended that agencies should impose contractual security provisions in order to meet its security obligations under IPP 4 and also to preserve the rights of individuals under the Privacy Act 1988 so far as possible. They will also seek, as far as possible, to extend the protection of the other IPPs by contract to the processing of public sector personal information by a private sector outsourcing service provider.

While there are substantial similarities between the IPPs and the NPPs, there are also certain differences. One of these can be illustrated by the comparison between IPP 4 and NPP 4 dealing with security standards. IPP 4 casts a duty on the agency to ensure (by contract: s 95B) that the agency’s duties with respect to security are passed onto the outsourcing service provider. NPP 4 contains no such requirement. The IPPs also contain extra detail in relation to the act of soliciting personal information from an individual (IPPs 2 and 3) and other differences in relation to the use and disclosure of personal information.

The fact that a private sector outsourcing service provider is subject to the NPPs and may, by contractual provision, be made subject to the IPPs gives the potential for a conflict between the two in a public sector outsourcing contract and the possibility that the outsourcing service provider, in trying to comply with the contractually imposed IPPs, breaches one of the NPPs. Section 6A(2)(ii) of the Privacy Act 1988 (as amended) sets out the circumstances under which an act or practice of an organisation which is a contracted service provider under a Commonwealth contract (that is, a contract under which services are provided to a Commonwealth agency) will not breach a NPP where this act or practice is done from meeting, directly or indirectly, an obligation under the contract and the act or practice is authorised by a provision of the contract that is inconsistent with the NPP concerned. Section 6B(2)(ii) applies in the same way to the requirements of an approved privacy code under the Privacy Act 1988. Section 95B contains complementary provisions to s 6A(2)(ii) and s 6B(2)(ii). Section 95B requires an agency entering into a Commonwealth contract to ‘take contractual measures to ensure that a contracted service provider for the contract does not do or act, or engage in a practice, that would breach an Information Privacy Principle if done or engaged in by the agency’. Under s 95B(3) the agency must also ensure that an act or practice that would breach an IPP is not authorised by a subcontract (which under ss 95B(4) is defined as where a service provider for the Commonwealth is engaged to provide services to another contracted service provider for the Commonwealth or any agency of the Commonwealth for the purposes, whether direct or indirect, of the Commonwealth contract).

The Privacy Advisory Committee’s guidelines referred to above continue to be relevant to outsourcing in the public sector. As the IPPs remain enforceable on the outsourcing service provider only by way of contract, the doctrine of privity of contract ensures that individuals have no right to enforce the terms of the Commonwealth contract against the outsourcing service provider. However, s 95C requires the disclosure of certain provisions of Commonwealth contracts and gives any person the right to ask a party to a Commonwealth contract for information on the content of provisions (if any) to the contract that are inconsistent with an approved privacy code binding a party to the contract to an NPP, and to receive a written response. This is an important right in the light of s 13A(1)(c). This section extends the definition of an ‘interference with the privacy of an individual person’ to cover situations where contracted service providers under a Commonwealth contract breach any contractual obligations which relate to the NPPs. The effect of this provision is where 6A(2)(ii) or 6B(2)(ii) allows a contractual provision under a Commonwealth contract to override one of the NPPs or an approved privacy code, then the ‘penalty’ for an act or practice of the contracted service provider which is contrary to or inconsistent with the provision of the Commonwealth contract is that this will be an interference with the privacy of an individual. This interference with the privacy of an individual allows an individual to make a complaint to the Privacy Commissioner under s 36(1). In addition, s 36(1)(c) also allows an individual to complain to the Privacy Commissioner about an act or practice engaged in by an organisation purportedly for the purpose of meeting (directly or indirectly) an obligation under a Commonwealth contract, whether or not the organisation is a party to that contract, for example, the organisation is a supplier to a party to the Commonwealth contract. This would catch both the outsourcing service provider and their subcontractors.

The Privacy Act 1988 contains certain protections against the misuse of personal information processed under a Commonwealth contract by a contracted service provider. Section 16F expressly prohibits the use of personal information processed by a contracted service provider for direct marketing unless the use or disclosure for direct marketing is necessary to meet (directly or indirectly) an obligation under the contract. Section 16F expressly overrides NPP 2.1, which permits the use of personal information for the secondary purpose of direct marketing and also overrides the provisions of any relevant approved privacy code binding the organisation in relation to the personal information (s 16F(3)(a) and (b)).

Contracted service providers who would otherwise be exempt small business operators for the purposes of s 7(1) of the Privacy Act 1988 lose the benefit of that exemption if they become a contracted service provider for a Commonwealth contract. Such small business operators do not need to comply with the NPPs or a binding approved privacy code other than with respect to their performance of a Commonwealth contract. It also follows that as a contracted service provider the activities of these organisations can constitute an interference with the privacy of an individual for the purposes of s 13A of the Privacy Act 1988, but not otherwise.

The Privacy Act 1988 in this context applies to outsourcing by Commonwealth agencies. State and Territory government agencies and organisations are not regulated by the Privacy Act 1988. In the absence of specific State or Territory legislation they are not required to comply with the IPPs. In NSW the Privacy and Personal Information Protection Act 1988 imposes privacy protection principles similar to the IPPs (Pt 2 Div 1 of the Privacy and Personal Information Protection Act 1988). There is also similar legislation in Victoria — the Information Privacy Act (Vic) 2000. Section 12 of the NSW Act contains similar provisions to IPP 4 of the Commonwealth Privacy Act 1988. Again, like the Commonwealth Act, the provisions of the State IPPs do not apply directly to private sector outsourcing service providers and must be imposed on them by way of contract. However, should a NSW State government agency seek to impose by contract State IPPs set out in P 2 Div 1 of the Privacy and Personal Information Protection Act 1988, the NSW Act contains no equivalent to s 6A and s 6B of the Privacy Act 1988 which has the effect of curing breaches of the NPPs or approved privacy codes by a private sector outsourcing service provider.

The State legislature will have to consider whether to plug this particular gap in the Privacy and Personal Information Protection Act 1988 and also consider whether s 13A(1)(c) of the Commonwealth Act must be enacted into NSW law. The effect of enacting the NPPs, both at State and Federal level, has been to create a confused situation where outsourcing service providers who are contracted service providers under a Commonwealth contract gain certain protection from breaches of the NPPs and approved privacy codes which outsourcing service providers to state agencies do not.

Certainly the advent of the NPPs requires both Commonwealth and State agencies to examine their contracting practice and standard privacy clauses for compliance with the amended Privacy Act 1988. The gap in protection at State level given the introduction of the NPPs needs to be addressed, as it is inconsistent with the treatment of contracted service providers under Commonwealth contracts.

Jane Rawlings is a Senior Associate at the Sydney office of Baker & McKenzie. This article was first presented at a Continuing Legal Education seminar of the University of NSW Law Faculty. It is reproduced here by kind permission of the UNSW CLE program and Baker & McKenzie.

[1] Credit providers and credit reporting agencies are regulated by Pt 3A of the Privacy Act 1988 (Cth) and the Credit Reporting Code of Conduct, which together apply privacy principles to the specialised area of consumer credit reporting. These provisions together cast primary liability for compliance on credit providers and the credit reporting agencies themselves, not upon their agents, including providers of outsourced IT services required to operate either a credit reporting agency or to support credit provision services.

[2] These do not address issues such as who should adopt the principles, mechanisms for complaints, compliance and disputes, personal information of employees (although this is now the subject of an exemption in the Privacy Act 1998 as amended) and transitional issues as to whether the principles applied to personal infor-mation collected before the principles were implemented.

[3] The emerging de facto benchmark of privacy legislation worldwide is not the OECD Data Privacy Principles but Directive 95/9/EC of the European Parliament and of the Council of Europe of 24 October 1995 on the Protection of Individuals with Respect to the Processing of Personal Data (the ‘Data Protection Directive’). The Data Protection Directive imposes the primary obligation for compliance with data protection principles on the controller of personal data; that is, the entity which alone or jointly determines the purposes and means of processing personal data (or which is designated as such by national or European community laws or regulations). However, the Data Protection Directive also recognises the concept of a ‘processor’ of personal data which processes personal data on behalf of the controller but is not a controller in their own right; art 2(e) of the Data Protection Directive. Articles 10 and 11 relate to the information that must be provided when personal data is collected from a data subject and where personal data has not been collected directly from the data subject. Both refer to the controller and to the concept of a controller’s ‘representative’, which does suggest the notion of agency on behalf of a data controller such as the activities of, say, an outsourced business function service provider. However art 17 makes it clear that where an outsourcing service provider acts purely as a processor then the only obligations that can be placed on them are the obligation to act only on instructions from the controller and the obligations under art 17(1) concerning security (which may be further defined by the laws of the member state in which the processor is established) that are also placed upon the processor. Article 17(1) requires the controller (and hence the processor of personal data) ‘to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful distraction or accidental loss, alteration, unauthorised disclosure or access .... and against all other unlawful forms of processing’. No such protection appears to have been allowed for outsourcing service providers in Australia who act only as a ‘processor’ rather than as processor and controller as those terms are understood under the Data Protection Directive.

[4] The IIA Code contains a permission based ‘opt in’ approach to consent for the purposes of direct marketing.

[5] The ADMA Code operates an ‘opt out’ approach to the use of personal information in direct marketing.

[6] This borrows the wording of art 17(1) of the Data Protection Directive. NPP 4 refers to ‘reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure’: NPP 4.1. Higher security standards than NPP 4 may be commercially appropriate in light of the activities concerned. NPP 4 does not set a particularly demanding standard when judged against other international standards of data security. A higher standard may also be required by legislation or code of conduct.

[7] Privacy Advisory Committee ‘Outsourcing and privacy: advice for Commonwealth agencies considering contracting (outsourcing) out information technology and other functions’ August 1994; available at <www.privacy.gov.au /public/index.html>.

[8] This is, of course, a high level and general drafting guide. Careful consideration must be given to the particular risk to privacy and personal information posed by the nature of the IT service or business function that has been outsourced.

[9] This statement flows from the service provider’s obligation to comply with the NPPs even when simply providing contractual ‘processing’ services. This requires both parties to include the customer’s privacy standards for compliance with privacy law and to deal with any inconsistencies within the contract.

[10] One practical solution is for a third party to maintain ‘opt out’ or ‘opt in’ lists which must be consulted before, for example, conducting a new marketing campaign.