Australia - What Are Your Privacy Obligations Under A Commonwealth Contract?
Legal News & Analysis - Asia Pacific - Australia - Cybersecurity
19 May, 2017
Organisations that contract with the Commonwealth Government face strict information handling and data management obligations in those contractual arrangements. These contractual obligations sit alongside any statutory obligations the organisation is subject to under the Privacy Act 1998 (Cth) (Privacy Act), and any other relevant legislation to which the organisation is subject.
It's important for those organisations to be aware that, in contracting with Commonwealth Government under a contract that involves collecting, handling, using, disclosing or destroying personal information, the repercussions for non-compliance with the provisions of the Privacy Act will be both contractual as well as statutory.
For guidance as to what personal information is, see the Office of the Australian Information Commissioner's (Commissioner) guidance here.
Here are a few pointers to consider, from a privacy perspective, when contracting with the Commonwealth Government:
1. Are you a contracted service provider or a subcontractor under a Commonwealth contract?
The Privacy Act places obligations on "contracted service providers" and "subcontractors" to a "Commonwealth contract" who handle "personal information".
A Commonwealth contract for the purposes of Privacy Act is a contract where the Government or agency is a party. This includes a wide range of Commonwealth Government bodies and departments. In approaching a Commonwealth contract you should be aware that:
- The obligations under the Privacy Act apply also to those contracted service providers outside of Australia.
- The Government or an agency will require you to contractually agree to not do an act or engage in a practice that would breach any of the 13 Australian Privacy Principles (APPs).
A party to a Commonwealth contract, or a contractor or subcontractor, is an APP entity for the purposes of the Privacy Act, irrespective of whether the entity meets the minimum threshold of AUD3 million annual turnover for a small business. And so organisations that might not ordinarily be subject to the Privacy Act will, by virtue of the Commonwealth contract, become subject to the regime.
2. Know industry expectations as to information handling and security
As the frequency of cyber security incidents increases, the Commonwealth Government is taking a risk based approach to protecting information and ICT systems and Commonwealth contractors and subcontractors should be aware of relevant standards and guidelines such as:
- The Australian Signals Directorate (ASD) guidelines on cyber security for contractors.
- The ASD standards for information security across government (Australian Government Information Security Manual (ISM), which applies to businesses handling sensitive or classified information under agreement with the Government.
- Information Security Registered Assessors Program (IRAP) certification, which applies to businesses providing information technology services to the government.
Contractors and subcontractors may be required to achieve and undergo regular IRAP assessment, as well as maintain certification against the ISM. These obligations are mandated in Commonwealth contracts, and are likely to also flow through subcontracts to require subcontractors to meet the same standards.
3. Consider the broader investigative powers of the Commissioner
Aside from the contractual ramifications that arise in the event of a breach of the Privacy Act under the Commonwealth contract, where there has or may have been an interference with privacy, the Commissioner can launch an investigation into an incident or practice relating to the personal information.
An investigation can lead to declarations that steps are taken to redress loss; compensation being paid; or the requirement for an entity to notify individuals affected by a breach. Serious and repeated interferences with privacy can lead to significant penalties of as much as AUD1.8million for a company.
4. Consider the entire information lifecycle of data
Certain obligations under Commonwealth contracts extend beyond the terms and period of the contract. For example, Commonwealth Government record keeping requirements may require organisations to hold information for longer than the period of the Commonwealth contract.
Organisations party to a Commonwealth contract, and those who handle Commonwealth records, should consider their legal and regulatory obligations regarding the destruction or disposal of those records.
Contracting with Commonwealth Government can be a fruitful engagement, but those organisations engaging in Commonwealth contracts should be sure to keep the above points in mind when entering into such contractual arrangements.
For further information, please contact:
Dean Carrigan, Partner, Clyde & Co