- Advice Summaries
- Case Notes
- Codes of Conduct
- Compliance Notes
- Fact Sheets
Information Sheet (Private Sector) 8 - 2001: Contractors
This information sheet aims to help organisations that enter into contracts with other parties to comply with their obligations under the National Privacy Principles (NPPs) in the Privacy Act 1988 (Cth) (the Privacy Act). In particular, it is relevant to an organisation that enters into a contract with another party (the contractor) in which the contractor:
- supplies services to the organisation; or
- supplies services to someone else on behalf of the organisation; and
the contract involves the contractor handling personal information in some way.
This information sheet is also relevant to helping such contractors comply with their obligations under the NPPs.
The Privacy Act treats the acts and practices of employees (and those 'in the service of' an organisation) in performing their duties of employment as those of the organisation (see section 8(1)(a)). Contractors performing services for an organisation are not considered to fall within this provision. However, where there is a particularly close relationship between an organisation and a contractor it may mean that the actions of the contractor could be treated as having been done by the organisation for the purposes of section 8 of the Privacy Act.
This information sheet also covers situations where the organisation and the contractor would be regarded under the Privacy Act as separate entities.
In practical terms there may be little difference in these two situations in what an organization needs to do to meet its obligations. This is covered below.
Contracting with businesses not covered by the Privacy Act
An important consideration for an organisation entering into a contract described above will be whether the Privacy Act covers the contractor. For example, a business with a turnover of $3 million or less may not fall within the definition of an 'organisation' under the Privacy Act. If it does not, the contractor would be exempt from having to comply with the NPPs. However, if a business handles personal information under a contract with an organisation it may, in some circumstances, be regarded as either collecting or disclosing personal information for a benefit, service or advantage and so fall within the definition of 'organisation' (see section 6D(4)(c) or (d)).
For more information about what private sector entities the Privacy Act applies to refer to the Information Sheet 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions.
If an organisation is contracting with a business that is not covered by the Privacy Act it would be advisable to encourage the contractor to opt in to being covered using section 6EA of the Privacy Act. One way of doing this would be to make opting in a condition of the contract.
Another less effective option would be for the organisation to have terms and conditions in the contract. These would bind the contractor to taking steps necessary to protect the personal information it holds that would be equivalent to the steps required by the NPPs.
Disclosure to contractors
Where an organisation and a contractor are separate entities under the Privacy Act an organisation that gives personal information to a contractor is disclosing information and the contractor is collecting the information. In practical terms, this means that the organization may need to have clauses in the contract for the protection of personal information the organisation discloses to the contractor, in order to meet its obligations under the NPPs.
The remainder of this information sheet is relevant to where both the contracting entity and the contractor are 'organisations' covered by the Privacy Act and so both have obligations to comply with the NPPs.
NPP 1 and NPP 10 - Collection
When an organisation contracts out functions or activities, both the organisation and the contractor have obligations under either NPP 1.3 or NPP 1.5 to take reasonable steps to make an individual aware of certain information. These are covered below.
The contracting organisation
Where a contracting organisation usually discloses personal information to a contractor, the contracting organisation must take reasonable steps to ensure that the individuals from whom it has collected the information are made aware of these disclosures (NPP 1.3(d)). The steps an organisation must take to inform individuals that personal information about them will be disclosed to contractors will depend on the circumstances.
In some cases an organisation may inform individuals about the types of contractors to which it discloses personal information, for example, a mailing house or an IT company. In other cases, there may be a good reason for naming a particular organisation. In some circumstances, listing organisations by type rather than naming them specifically may give individuals a better idea of what will happen to their personal information.
What other details the contracting organisation makes an individual aware of, in relation to the contractor, will depend on the circumstances, including what the contracting organisations have agreed between them. However, such arrangements must not detract from the individual's privacy rights.
Tip for compliance
There are a number of ways that a contractor collecting personal information under a contractual arrangement could meet its obligations under NPP 1.5 to take reasonable steps to make individuals aware of NPP 1.3 matters. What are reasonable steps will depend on the circumstances. The contractor does not necessarily need to notify individuals itself. The organisation that originally collects the personal information could notify individuals that information about them will be disclosed to the contractor, and other relevant details including the purpose for which the contractor will use the information, and how individuals can contact the contractor.
In some cases it could be reasonable for no steps to be taken under NPP 1.5. An example of this could be where:
- the provisions of the contract have very strong and comprehensive privacy provisions that place stringent obligations on the contractor;
- where the organisation is prepared to monitor the contractor to ensure that it complies with the NPPs; and
- the organisation is prepared to take ultimate responsibility for any breach of privacy the contractor commits (although it could still seek indemnity from the contractor).
An organisation might consider adopting this approach, for example, where it contracts out its call centre functions and the contractor interacts with individuals on behalf of the contracting out organisation.
Collecting sensitive information under a contract
A contractor that collects sensitive information would need to have the individual's consent.
Tip for compliance
The contractor collecting the sensitive information from the organisation could get the individual's consent by arranging for the organisation to get consent at the time it collects the information from the individual. The contracting out organisation could do this as part of the process of informing the individual of NPP 1.3 matters.
NPP 2 Use and disclosure
An organisation proposing to disclose personal information under a contract would need to consider how NPP 2 applies to the disclosure. In some situations where an organisation contracts out a function or activity, the disclosure will be for a primary purpose of collection or an activity that is related to the primary purpose and within the individual's reasonable expectations. Contracting out billing activities, customer inquiry activities, IT activities and mailing and other administrative activities could fall into these categories.
Where an organisation discloses personal information to a contractor to carry out activities that fall outside these categories then in most cases the organisation would generally need the individual's consent under NPP 2.1(b). For example, an organisation will need to get consent if it proposes to disclose personal information to a contractor for the purpose of carrying out marketing activities that are unrelated to the primary purpose of collection and outside a person's reasonable expectations.
Tip for compliance
Where an organisation contracts out a function or activity to a contractor, and makes a disclosure to the contractor that is permitted under NPP 2 for that purpose, the organisation could be at risk of receiving a complaint that it disclosed information in breach of NPP 2 if the contractor subsequently uses that information for a non-permitted purpose.
One way of reducing this risk is to ensure that the contract includes very clear provisions about the purpose for which the contractor is to use the information and other provisions necessary to ensure the contractor does not make unauthorised disclosures. It should also have provisions about how the contractor is to keep the information secure, and what it must do with the information when it has completed the contracted out activity.
NPP 4 - Data security
NPP 4 requires an organisation to take reasonable steps to protect the personal information it holds from misuse and loss, and from unauthorised access, modification, or disclosure. It would be advisable for an organisation that contracts out a function or activity to have in the contract provisions similar to those outlined in the tip for compliance above.
A contractor that collects information from a contracting organisation would have obligations of its own under NPP 4 to keep the information secure.
NPP 5 - Openness
To meet its obligations under NPP 5.2, an organisation that contracts out functions and activities involving personal information would generally need to be able to tell a person who asks:
- whether it discloses personal information to contractors;
- the purposes for which it discloses personal information to contractors;
- the names and types of organisations to which it contracts out functions and activities involving disclosure of personal information; and
- the contractual measures it takes (in general terms) to protect such personal information.
The contractor would also have an obligation to comply with NPP 5, but how it meets its obligation could be agreed with the contracting organisation as long as the rights of the individual are not diminished.
NPP 6 - Access and correction
NPP 6 requires an organisation to give an individual access (with some exceptions) to any information it holds about him or her.
Tip for compliance
In many cases, as long as an individual's right to access under NPP 6 is not diminished, contracting organisations could work out between themselves which organisation in the first instance would take responsibility for giving the individual access.
NPP 9 - Transborder data flows
An organisation that contracts out functions and activities involving disclosure of personal information to an organisation overseas would need to ensure it complies with NPP 9 before it transfers the information.
Getting the individual's consent to the transfer is one option under NPP 9 the organization could take. Another would be to include in the contract provisions that give the personal information protection similar to those the individual would have under the NPPs if the information were in Australia.
For more information about the circumstances in which an organisation can transfer information to an overseas contractor refer to the Guidelines to the National Privacy Principles.
About Information Sheets
Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)
Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.
Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.
Organisations may also wish to consult the Commissioner's guidelines and other information sheets.
Office of the Privacy Commissioner ISBN 1-877079-30-8 Privacy Hotline 1300 363 992 (local call charge)