Disclosure of personal information to third parties

Background

28.41 Unlike NPP 4, IPP 4 expressly obliges a record-keeper to take reasonable steps to prevent unauthorised use or disclosure of personal information contained in a record where the record is given ‘to a person in connection with the provision of a service to the record-keeper’.[45] In addition, s 95B of the Privacy Act requires an agency entering into a Commonwealth contract to take contractual measures to ensure that a service provider does not do an act or engage in a practice that would breach the IPPs.[46] This raises the question of whether the ‘Data Security’ principle should require organisations, as well as agencies, to ensure the protection of personal information they disclose to contractors.[47]

28.42 A potential advantage of making specific provision in this area is that it would overcome some of the problems that arise where an organisation engages in outsourcing—for example, where an organisation subcontracts to an entity that is not covered by the Privacy Act. The OPC has responded to the problem of outsourcing by issuing guidance, stating that ‘where there is a particularly close relationship between an organisation and a contractor it may mean that the actions of the contractor could be treated as having been done by the organisation’.[48] In the specific context of an organisation that contracts with an entity that is subject to the small business exemption, the OPC stated:

If an organisation is contracting with a business that is not covered by the Privacy Act it would be advisable to encourage the contractor to opt in to being covered … One way of doing this would be to make opting in a condition of the contract.

Another less effective option would be for the organisation to have terms and conditions in the contract. These would bind the contractor to taking steps necessary to protect the personal information it holds that would be equivalent to the steps required by the NPPs.[49]

28.43 In 2005, the OPC recommended that the Australian Government consider amending NPP 4 to require organisations to ensure the protection of personal information they disclose to contractors.[50]

Submissions and consultations

28.44 In DP 72, the ALRC proposed that the ‘Data Security’ principle should require an agency or organisation

to take reasonable steps to ensure that personal information it discloses to a person pursuant to a contract, or otherwise in connection with the provision of a service to the agency or organisation, is protected from being used or disclosed by that person otherwise than in accordance with the UPPs.[51]

28.45 A large number of stakeholders supported the proposed expansion of the ‘Data Security’ principle.[52] Optus noted, for example, that ‘obligations on contractors, as well as organisations, improve accountability and serves to strengthen Australia’s privacy regime’.[53] PIAC commented that this obligation, in addition to the proposal to remove the small business exemption, would ensure that there are very few situations where contractors would be able to operate without being subject to privacy principles.[54] The Australian Bankers’ Association (ABA) supported the proposal, provided it operated independently of the ‘Cross-border Data Flows’ principle.[55] Suncorp-Metway supported the proposal subject to not having to alter any contracts retrospectively.[56]

28.46 Some stakeholders suggested that limiting the obligation to contractors or disclosure ‘otherwise in connection with the provision of a service to the agency or organisation’ was unnecessarily narrow.[57] The Cyberspace Law and Policy Centre, for example, submitted that the obligation should apply to all personal information that an agency or organisation discloses to a third person.[58] Privacy advocates also suggested that an agency or organisation should take steps to require third parties to handle personal information in accordance with privacy requirements other than the ‘Use and Disclosure’ principle, including: the remaining obligations in the ‘Data Security’ principle;[59] the ‘Notification’ principle;[60] the ‘Data Quality’ principle;[61] and the ‘Cross-border Data Flows’ principle.[62] The Australian Privacy Foundation suggested that third party recipients should be required to observe all relevant UPPs in relation to that information.[63] Smartnet submitted that the principle should extend so that the

initial collecting organisation remain[s] accountable for the use and protection of all information it collects, even when that information has been transferred to another party.[64]

28.47 Several organisations did not support the ALRC’s proposal.[65] The Recruitment and Consulting Services Association Australia and New Zealand submitted that the principle of individual responsibility is a more effective and less costly way of ensuring good privacy compliance.[66] GE Money was concerned that

the privacy regime will not sufficiently recognise the extent to which organisations outsource a wide variety of functions and the extent to which the organisation cannot provide products and services unless these disclosures take place.[67]

28.48 Two stakeholders also sought clarification on what would be required for agencies and organisations to ensure that personal information disclosed to that service provider is handled in accordance with the UPPs.[68] ANZ submitted that, provided a third party has agreed to undertake ‘reasonable steps’ to protect personal information, this should satisfy the proposed requirement. ANZ noted:

As an overriding principle, ANZ would not enter into a contractual arrangement with a third party if it believed the party did not have adequate information security processes in place.[69]

28.49 In comparison, the Cyberspace Law and Policy Centre submitted that compliance with the principle should include the recipient demonstrating a commitment to comply with the relevant privacy obligations, for example through a privacy policy.[70]

ALRC’s view

28.50 The ALRC does not recommend that a requirement be included in the ‘Data Security’ principle for agencies and organisations to protect information disclosed to third parties. Even in the absence of such a requirement, agencies remain subject to the requirements in s 95B of the Privacy Act—that is, the agency must take contractual measures to ensure that contracted service providers do not breach the privacy principles. There is no need for a change to the current law.

28.51 This position assumes the implementation of other recommendations in this Report—in particular, the removal of the small business exemption[71] and the recommended changes to the ‘Cross-border Data Flows’ principle.[72] Provided these recommendations are implemented, there will be few, if any, situations where a contracted party will not be under an obligation to comply with the Privacy Act. Accordingly, a requirement for contracting organisations to ensure that personal information disclosed in accordance with a contract retains privacy protections will be largely redundant.

28.52 If the above recommendations are not implemented, however, then a requirement for organisations to take steps to protect information disclosed to a third party pursuant to a contract, or otherwise in connection with the provision of a service, will be an integral component of the Privacy Act. This could be included in the ‘Data Security’ principle, as proposed in DP 72, or as a separate ‘contractors’ provision, similar to the s 95B requirements.

[45]Privacy Act 1988 (Cth)s 18G imposes similar data security obligations on credit reporting agencies and credit providers in respect of credit files and reports given to persons in connection with the provision of a service to those agencies or providers. Credit reporting is discussed in detail in Part G.

[46] Section 95B is discussed in detail in Ch 14.

[47] See Australian Law Reform Commission, Review of Privacy, IP 31 (2006), Question 4–17.

[48] Office of the Federal Privacy Commissioner, Contractors, Information Sheet 8 (2001).

[49] Ibid. Note, however, that the ALRC recommends removing the small business exemption from the Act: see Ch 39.

[50] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 54. See also rec 56, which states that the OPC should issue guidelines to clarify that businesses, which give personal information to contractors, should impose contractual obligations on any contractors to take reasonable steps to protect the information.

[51]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 25–2.

[52]Australian Government Centrelink, Submission PR 555, 21 December 2007; Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[53]Optus, Submission PR 532, 21 December 2007.

[54]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[55]Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.

[56]Suncorp-Metway Ltd, Submission PR 525, 21 December 2007.

[57]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Smartnet, Submission PR 457, 11 December 2007.

[58]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[59]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[60]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[61]Ibid.

[62]Ibid.

[63]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[64]Smartnet, Submission PR 457, 11 December 2007.

[65]GE Money Australia, Submission PR 537, 21 December 2007; ANZ, Submission PR 467, 13 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[66]Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007.

[67]GE Money Australia, Submission PR 537, 21 December 2007.

[68]Medicare Australia, Submission PR 534, 21 December 2007; ANZ, Submission PR 467, 13 December 2007.

[69]ANZ, Submission PR 467, 13 December 2007.

[70]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[71] The small business exemption is discussed in Ch 39.

[72] The ‘Cross-Border Data Flows’ principle is discussed in Ch 31.