Privacy and security Malcolm Crompton, Federal Privacy Commissioner

Breaches of government security are subject to high levels of media scrutiny and community attention. Even after 11 September, the public will still expect security services to be provided in a way that respects civil liberties including privacy. As providers of security services, whether public servants or contracted suppliers, the question needs to be asked: - how can both these objectives be achieved in light of higher expectations that security will not be breached?

The answer to this question may directly influence whether service buyers or service providers meet the requirements of recent amendments to privacy legislation. This in turn will influence who wins and who loses contracts to provide security services.

Selecting, winning and delivering the contract The Privacy Act 1988 contains two sets of privacy principles, Information Privacy Principles (IPPs) and National Privacy Principles (NPPs).

The eleven IPPs detail the information handling practices for government agencies and the ten NPPs detail the minimum level of expected of the private sector.

For Contracted Service Providers (CSPs), the key to understanding how the Privacy Act applies to them is to understand the policy intent behind the amendments to the Act that came into effect on 21 December 2001.

The policy intent of the amendments as they apply to CSPs is to ensure that the privacy protection of personal information is not changed simply because the personal information is handled in some way by a CSP instead of a Commonwealth agency.

Hence, CSPS are required to comply with the IPPs when handling personal information on behalf of the agency under a contractual arrangement, even if they would otherwise be required to comply with the NPPs.

For areas where there is no provision in the contract that is equivalent to the NPPs, the NPPs are the standard.

Moreover, in fulfilling the policy intent, the Act as now amended ensures that:

• The acts and practices of a CSP will be investigated by the Commissioner, with the CSP as the respondent.
• The legislation ensures that contractors and their subcontractors can be held accountable under the Privacy Act for any breaches of privacy obligations that they commit.
• An individual who considers that a contractor or subcontractor has breached their obligations in the handling of personal information about them can complain to the Commissioner.
• The Commissioner's complaint handling powers under Part V of the Privacy Act 1988 apply to complaints about CSPs, including wide-ranging powers to obtain information and to take evidence under oath.

Information Sheet 14 - 2001 Privacy obligations for Commonwealth contracts

Summary of matters agencies should consider when contracting out services Agencies should include appropriate privacy clauses in contracts to ensure that CSPs do not act in a way that would be a breach of the IPPs if the act or practice was done by the agency itself.

Agencies should be aware that simply stating in the contract that the CSP should not breach the IPPs is unlikely to meet their obligations under section 95B and that, in particular, the agency may need specific provisions relating to openness (IPP 5) and access (IPP 6).

Agencies should also ensure that contracts contain provisions that prevent subcontracts from authorising an act or practice that would be a breach of the IPPs if the act or practice was done by the agency itself.

If a contract involves the provision of services to third parties, agencies should consider whether those services are connected with the performance of their functions. If the services are connected the agency will need to ensure that it complies with its obligations under section 95B and ensure the CSP is aware of the special provisions under the Privacy Act that apply to it.

Agencies should be aware that if there is no clause in the contract corresponding to the NPP (or to a relevant approved code) in the contract, the NPP (or the approved code) will apply to the CSP.

Agencies should consider whether it is appropriate to include in the contract privacy clauses addressing the following NPPs (or the code equivalent):

• NPP 7 Government identifiers
• NPP 8 Option of remaining anonymous
• NPP 9 Disclosure to organisations in foreign countries
• NPP 10 Collection of sensitive information.

Agencies should state in the contract whether or not the contract requires the CSP to engage in direct marketing and if the contract does not require direct marketing it should confirm the CSPs obligation not to use the information it collects under the Commonwealth contract for direct marketing.

Agencies are required to provide a person who asks for a copy of the privacy clauses in a contract that are inconsistent with the NPPs (or with a relevant approved code binding to a party to the contract) with a copy of those clauses.

Agencies should be aware that complaints about acts or practices of a CSP will be investigated by the Commissioner, with the CSP as the respondent (unless the Commissioner decides otherwise).

Agencies should also be aware that the Commissioner may substitute an agency for a CSP as a respondent to a complaint if the organisation that is the contractor dies, ceases to exist or becomes bankrupt etc, and that the agency may be liable to pay compensation if the Commissioner so decides.

Summary of matters CSPs should consider when entering Commonwealth contracts Even if a CSP is a small business usually exempt from the NPPs, the CSP will need to comply with the Privacy Act (and the contract) in relation to its activities under the Commonwealth contract.

A contractor will need to be aware where it provides services to third parties on behalf of an agency it will be a CSP if those services are connected with the performance of the functions of the agency. If the services are connected, the contractor will be subject to special provisions in the Privacy Act that apply to CSPs. If, as a matter of good practice, an agency has not indicated whether a service is connected with a function of the agency, a contractor should check with the agency.

A CSP (and the agency) is required to provide a person who asks for a copy of the privacy clauses in a contract that are inconsistent with the NPPs (or with an approved code binding a party to the contract) with a copy of those clauses.

The Privacy Act prohibits CSPs from using or disclosing personal information collected under a Commonwealth contract for direct marketing unless the use or disclosure is necessary to meet (directly or indirectly) an obligation under the contract.

CSPs should be aware that if there is no clause in the contract corresponding to the NPP (or to a relevant approved code), the NPP (or the relevant approved code) will apply to the CSP.

CSPs should be aware that there would be some additional obligations on them over and above the IPPs (unless the contract otherwise provides) because the NPPs (or the code equivalent) deal with some things not addressed by the IPPs. For example:

• NPP 7 Government identifiers
• NPP 8 Option of remaining anonymous
• NPP 9 Disclosure to organisations in foreign countries
• NPP 10 Collection of sensitive information.

CSPs should be aware that the Commissioner has the power to investigate complaints and undertake own motion investigations of acts and practices of CSPs.

Unless the Commissioner decides otherwise, the CSP will be the respondent to any complaint to the Commissioner about activities of the CSP and if compensation is payable, the CSP will be responsible for paying the compensation.

CSPs should be aware that the NPPs will apply to their business activities that are not related to the Commonwealth contract unless the CSP is otherwise exempt (for example, because it is a small business operator in relation to those activities).