Save Search

Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment Bill 1998

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

1998

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

HOUSE OF REPRESENTATIVES

PRIVACY AMENDMENT BILL 1998

EXPLANATORY MEMORANDUM

(Circulated by authority of the Attorney-General,

the Hon. Daryl Williams AM, QC, MP)

9726772

PRIVACY AMENDMENT BILL

OUTLINE

The bill gives effect to the Government's decision to extend the application of the Privacy Act to contractors holding personal information in relation to services provided to the Commonwealth. 

The amendments to the Privacy Act are contained in Schedule 1 to the bill and will:

require 'contracted service providers' (contractors and subcontractors providing services under a contract with the Commonwealth or a Commonwealth agency) to comply with the Information Privacy Principles when collecting or holding personal information under or for the purposes of such a contract,

insert a new Schedule 3 into the Privacy Act listing services which are not covered by the amendments,

enable the Privacy Commissioner to investigate, conciliate or make determinations in respect of a complaint about an act or practice of a contracted service provider and to conduct audits of contracted service providers, and

provide accountability mechanisms to involve outsourcing agencies in any such investigations.

Schedule 2 to the bill contains amendments to other legislation as a consequence of the amendments in Schedule 1.

FINANCIAL IMPACT

There is no significant financial impact on government as a consequence of applying the Privacy Act to contracted service providers.  The contracting agency will retain some responsibility for the acts and practices of the contracted service provider, but this is a cost which government would otherwise have if that function had not been contracted out.  Similarly, any administrative costs for contractors of complying with privacy obligations may be taken into account when negotiating the contract price, so there will be no significant overall reduction in the government's costs of complying with privacy obligations as a result of contracting out.

REGULATION IMPACT ON BUSINESS

The application of the Privacy Act to contractors providing services the Commonwealth or a Commonwealth agency will have a low regulatory impact on business.

There may be compliance costs for contractors in respect of:

designing and implementing systems and procedures to ensure compliance with the obligations under the Privacy Act;

training management and employees about the information privacy obligations under the Act;

cooperating with any audits or investigations by the Privacy Commissioner; and

complying with a determination of the Privacy Commissioner in the event of a substantiated complaint.

Many of these costs may already be borne by the contractor under contractual requirements in accordance with current Government competitive tendering and contracting policy. 

The contractor would be able to take any administrative costs of complying with these obligations into account when setting the contract price.

Contractors will have clear consistent standards applying to all contracts which are acceptable to Government.

REGULATION IMPACT STATEMENT

INTRODUCTION

The Privacy Act provides protection of personal information about individuals held by most Commonwealth agencies by establishing rules of conduct called Information Privacy Principles (IPPs).  The IPPs regulate:

¥     the collection of personal information;

¥     the storage and security of personal information;

¥     access to, and alteration of, personal information;

¥     the use of personal information; and

¥     the disclosure of personal information.

The Privacy Act applies to Commonwealth Government agencies although the acts and practices of some agencies are wholly exempt (for example, intelligence organisations) or are exempt in respect of certain activities, such as their commercial activities. 

The Privacy Act also has limited application to the private sector.  From the time of commencement it has regulated the collection, storage, use and security of tax file number information.  Combined with Part VIIC of the Crimes Act 1914 (Cth), the Privacy Act also applies, in part, to spent conviction information.  In 1991 the Privacy Act was extended to protect consumer credit information by regulating the handling of such information by credit reporting agencies and credit providers.  More recently, the Privacy Act was amended to apply to contracted case managers for the long term unemployed and hearing service providers. 

Under the Privacy Act, the Privacy Commissioner may investigate an act or practice of an agency that may breach an IPP and may make a determination in respect of, or conciliate a settlement of the matter.  The Privacy Commissioner also has monitoring, education, audit and research functions in relation to information privacy.

PROBLEM OR ISSUE IDENTIFICATION

The use of competitive tendering and contracting (CTC) as a means of increasing efficiencies in service provision has privacy implications.  In some cases CTC will result in a private sector contractor being in possession of personal information records for purposes relating to the supply of the contracted service.  This may result from the personal information records being passed to the contractor by the contracting agency or it may result from collection of personal information by the contractor as part of the performance of the contract. 

The recent amendments to apply the Privacy Act to contracted case managers for the long term unemployed and hearing service providers ensure that the protection that personal information had when a Government agency performed the function is preserved when the function is contracted out for performance by a private sector body.  Apart from these specific cases, the Privacy Act currently does not apply to private sector contractors.

SPECIFICATION OF THE DESIRED OBJECTIVES

To ensure that privacy protection, including recourse to the Privacy Commissioner, is maintained when Government agencies contract out functions.

IDENTIFICATION OF OPTIONS

Three possible options to address the problem have been identified.

Option 1:         Maintain the status quo. 

This would mean that there would be no legislative provision for the protection of personal information collected by or in the possession of a contractor supplying services to the Government.

Appropriate clauses for the protection of personal information in the possession of contractors would continue to be included in the contract by the contracting agency.

In 1994 the Privacy Commissioner issued guidelines entitled Advice for Commonwealth Agencies Considering Contracting Out (Outsourcing) Information Technology and Other Functions, which suggests privacy clauses and gives general advice to agencies concerning privacy when outsourcing.  The draft clauses in this publication are still widely used by agencies in formulating their contracts. 

Option 2:   Self-regulatory  measures.

Contractors could develop appropriate standards of privacy protection in respect of personal information held by contractors on behalf of government. 

Option 3:         Apply the Privacy Act to contractors supplying services to the Government.  

IMPACT ANALYSIS

Impact group identification

The same groups would be affected by all suggested options.  The groups that would be affected include any Commonwealth agency which is engaged in outsourcing ('government'), contractors including GBEs which are providing outsourced services ('business'), consumers of those services and the general public ('community').  The following analysis looks at the impact in terms of costs and benefits for the identified groups in respect of each of the options.  Quantitative data is not available for this analysis but a qualitative assessment is provided.

Option 1:   Maintain the status quo by reliance upon contractual rights

Costs

Government

Agencies that are subject to the Privacy Act have a statutory obligation under IPP 4 to ensure that when they give a person a record of personal information in their possession or control for the purpose of service provision to the agency, they do everything reasonably within their power to prevent unauthorised use or disclosure of information contained in the record.  Failure to make any provision for the protection of personal information given to contractors would constitute a breach of this statutory obligation.

Privacy standards would need to be negotiated by Government agencies for each outsourcing contract.

Legal action may be required in respect of breaches of contract.

Business

Depending on the content of the information privacy protection clauses included in the contract, there may be compliance costs for contractors in respect of:

-     designing and implementing systems and procedures to ensure that personal information held by the contractor for the purposes of a contract with the Government was treated differently from other information held by the contractors and was secure from unauthorised access, use and disclosure;

-     where a contractor collects personal information for the purposes of a contract with the Government, designing and implementing systems and procedures to ensure that forms used and methods employed met the standards set by the contract; and

-     training management and employees about the information privacy requirements under the contract. 

The requirements would be likely to be more onerous in contracts that involved the contractor handling or having access to significant volumes of personal information or information of a more sensitive nature.  The cost of compliance would not necessarily be any less than the cost of complying with information privacy legislation.  (The contractor is aware of the information privacy obligations that they have to abide by before they sign the contract and would be able to take any administrative costs of complying with these obligations into account when setting the contract price.)

Any breach of the information privacy obligations imposed under the contract by the contractor would expose the contractor to contractual remedies being taken by the contracting agency.

Community

There would be potential for inconsistent standards as privacy protection would be left in the hands of the contracting government agency.  It would be up to the contracting agency to ensure that information privacy clauses were included in the contract and that the clauses provided adequate protection for personal information.

The legal doctrine of privity of contract would mean that any breach of the contract could only be acted upon by the parties to the contract.  A person affected by an act or practice of a contractor that effectively constituted a breach of that person's privacy could take no action directly against the contractor and would have to rely on the contracting agency to pursue the matter with the contractor. 

The Privacy Commissioner has no jurisdiction over the acts or practices of a contractor and would not be able to make a determination or conciliate a settlement in respect of acts and practices that breached the IPPs.

Benefits

Government

Flexibility - the contracting agency would be able to manage its obligation under IPP 4 to ensure that it does everything reasonably within its power to prevent unauthorised use or disclosure of information contained in the record by the person who is given the personal information.  The requirements necessary to achieve this would vary from contract to contract depending on the amount and nature of personal information that the contractor would hold or have access to in performing the contract.  The contract approach enables the contracting agency to tailor the requirements for the individual contract.

Business

While the IPPs in the Privacy Act set the base standards, there is room to tailor requirements for particular contracts.  For example, a contracting agency may specify limits on the contractor's ability to rely on the exceptions in IPP 10 (limits on use of personal information) and IPP 11 (limits on disclosure of personal information) as appropriate. 

Community

The community has the benefit of privacy protection in respect of personal information held by contractors for government as provided for in contracts.

Option 2:   Self-regulatory measures.

Costs

Government

Government agencies would need to ensure in relation to each outsourcing contract that appropriate privacy standards were in place.

Business

Depending on the content of the self-regulatory information privacy protection standards, there may be compliance costs for contractors in respect of:

designing and implementing systems and procedures to ensure that personal information held by the contractor for the purposes of a contract with the Government was treated differently from other information held by the contractors and was secure from unauthorised access, use and disclosure;

where a contractor collects personal information for the purposes of a contract with the Government, designing and implementing systems and procedures to ensure that forms used and methods employed meet the standards set by the contract; and

training management and employees about the information privacy requirements.

The contractor would be able to take any administrative costs of complying with these obligations into account when setting the contract price.

Community

There may be inconsistencies between the standards established by legislation and those developed by contractors so that different privacy protection regimes applied depending on whether personal information was held by government or by contractors supplying services to government.

The Privacy Commissioner would have no jurisdiction over the acts or practices of a contractor and would not be able to make determinations in respect of acts and practices that breached the IPPs.

Benefits

Government

There is no apparent significant benefit to Government.  However, there may be modest administrative savings.

Business

Contractors would be able to develop standards tailored to the circumstances of contractors, although such standards would need to be acceptable to Government.

Community

The community would have the benefit of privacy protection in respect of personal information held by contractors for government to the extent of the self-regulatory standards.

Option 3:   Apply the Privacy Act to contractors supplying services to the Government where the contractor will collect or possess personal information on behalf of the Government.

Costs

Government

Loss of freedom to tailor information privacy requirements to individual contracts.

The contracting agency would retain some responsibility for the contractor's acts and practices.

Business

Private sector bodies contracting with the Government would have to comply with privacy regulation in relation to action taken for the purposes of the contract which other private sector bodies would not have to comply with.

There may be compliance costs for contractors in respect of:

designing and implementing systems and procedures to ensure that personal information held by a contractor for the purposes of a contract with the Government was treated differently from other information held by the contractor and was secure from unauthorised access, use and disclosure;

where a contractor collects personal information for the purposes of a contract with the Government, designing and implementing systems and procedures to ensure that forms used and methods employed met the standards set by the IPPs;

training management and employees about the information privacy obligations under the Act;

cooperating with any audits or investigations by the Privacy Commissioner; and

complying with a determination of the Privacy Commissioner in the event of a substantiated complaint.

These costs would vary from contractor to contractor depending on the extent to which the contractor's functions under the contract involve the collection and possession of personal information on behalf of the Government.  However, many of these costs may already be borne by the contractor.  Current Government CTC policy is that privacy protection clauses should be included in contracts wherever appropriate.  Therefore, contractors who hold personal information on behalf of the Government should already have in place systems that ensure that the personal information is secure and protected from unauthorised use and disclosure. 

Community

There is no apparent cost to the community.

Benefits

Government

This option would achieve certainty and consistency.  Legislation would ensure that all contractors who hold personal information on behalf of the Government would be subject to the same standards of information privacy protection and the same consequences for acts and practices that constitute an interference with the privacy of an individual.  Any administrative costs of complying with these information privacy obligations would  be certain and quantifiable and could be taken into account when setting the contract price.

Business

Contractors would have clear consistent standards applying to all contracts which would be known to be acceptable to Government.

Community

The Privacy Commissioner would have jurisdiction over the acts and practices of contractors in relation to personal information held by contractors on behalf of the Government.  The Privacy Commissioner could investigate an act or practice of a contractor that may breach an IPP and endeavour to conciliate a settlement of the matter and could also publish Guidelines for contractors, provide advice to contractors and conduct audits of records of personal information maintained by contractors.

Persons whose personal information was held by contractors on behalf of the Government would incur no loss of rights in relation to the protection of their privacy and, in particular, would have the right to complain to the Privacy Commissioner if they believed that a contractor has engaged in an act or practice that was an interference with their privacy. 

Restriction on competition

The imposition of obligations under the Privacy Act would be unlikely to affect competition between small businesses in relation to the market for government contracts because government agencies already include contractual obligations in respect of protection of personal privacy in outsourcing arrangements. 

CONSULTATION

The Attorney-General's Department has participated in Commonwealth Tendering and Contracting (CTC) Inter-Agency roundtable where there has been discussion of the issue of privacy protection for personal information in the possession of contractors and access to government information in the hands of contractors providing outsourced services.  The roundtable is convened by the CTC Unit of the Department of Finance.  Other participants include CTC advising agencies and some key agencies that are implementing competitive tendering and contracting.

In relation to the specific proposals referred to in this Regulation Impact Statement, there has been consultation with the Competitive Tendering and Contracting Unit of the Department of Finance, the Office of Government Information Technology and the Privacy Commissioner and there has been agreement by the stakeholders regarding the recommended option.

CONCLUSION AND RECOMMENDED OPTION

Considering the costs and benefits set out above and in view of the Government's objective of ensuring that privacy protection, including recourse to the Privacy Commissioner, is retained when Government agencies contract out functions, it is recommended that the Government endorse option 3 above.  

Extending the Privacy Act to contractors does not involve the imposition of regulation upon any particular industry.  It would extend the application of the Act to some private sector bodies that choose to enter into contracts to supply a service to the government and as a consequence, would collect or possess personal information for the government.  It is intended to preserve the level of privacy protection that existed when the Government supplied the service itself.  The amendments would not apply generally to bodies that receive grant funding by way of a contract or contract-like instrument with the Commonwealth, particularly in the health and community services areas.

Self-regulatory measures as suggested in Option 2 are not appropriate in this case for a number of reasons:

¥     The problem which has been identified arises from the need to ensure that the protections of an existing legislative scheme, which provides for privacy protection of personal information collected or held by government, are maintained where functions are contracted out by government.  Legislative mechanisms for providing such protection would appear to be the optimum way of dealing with the problem.

¥     There is no single or dominant industry body. 

¥     It is important that consistent measures are developed for all contractors.

While option 3 will allow the legislation to impose the standards, the current situation which is described in option 1 will still apply.  The contract will be the document which regulates the relationship between the contracting agency and the contractor. 

IMPLEMENTATION AND REVIEW

The proposed regulation should be implemented by appropriate amendments to the Privacy Act.  The Attorney-General's Department is responsible for administering the Privacy Act which involves the ongoing monitoring of its operation.

The Privacy Commissioner also has monitoring, education, audit and research functions in relation to information privacy.

NOTES ON CLAUSES

Clause 1 - Short title

When enacted, the bill will be cited as the Privacy Amendment Act 1998.  The Principal Act is the Privacy Act 1988.

Clause 2 - Commencement

The Privacy Amendment Act will come into operation on the 28th day after the day on which it receives Royal Assent.

Clause 3 - Schedules

Amendments to existing Acts and any other new provisions are contained in the Schedules to this Act.

Schedule 1

ITEM 1

SUBSECTION 6(1) (at the end of definition of 'agency')

Item 1 inserts in subsection 6(1) a provision which extends the meaning of 'agency' to cover a 'contracted service provider'.

By virtue of this extended definition, the obligations of a Commonwealth agency (see item 2 below) to observe the Information Privacy Principles are imposed on the contractors to whom Commonwealth services are 'contracted out'.  Thus the protection currently given to personal information handled by a Commonwealth agency is preserved when that agency enters into a contract with a private sector body for services which involve the handling of personal information by the private sector body.

Specific references to 'an eligible case manager', 'the nominated AGHS company' and 'an eligible hearing service provider' are deleted from the definition.  Each of these was inserted to provide coverage of contractors providing specific services, but will now be covered by the general term 'contracted service provider', and so their separate inclusion as agencies is unnecessary.  The application of the Privacy Act to these entities from the time they were first covered by it is preserved by new subsection 15(8) (see item 23).

ITEM 2

SUBSECTION 6(1)

Item 2 inserts in subsection 6(1) a definition of 'Commonwealth agency' which covers all the public sector categories of 'agency'.

The definition is necessary for the application of the definitions which are inserted by items 3 and 7, and to enable the differentiation between the public sector agencies, and those providing services on behalf of a public sector agency.

ITEM 3

SUBSECTION 6(1)

Item 3 inserts in subsection 6(1) a definition of 'Commonwealth contract' which covers any contract under which services are or were provided to a Commonwealth agency.  The definition therefore includes contracts which have been completed or terminated.  The definition also extends to the provision of services to third parties in connection with the Commonwealth agency's functions.  When read with the definition inserted by item 8, the definition extends to the provision of services by sub-contractors.

ITEM 4

SUBSECTION 6(1)

Item 4 inserts in subsection 6(1) a definition of 'contracted service provider' which covers any person who, under contract, is or was responsible for the provision of services, other than excluded funded services (see item 6), to a Commonwealth agency either directly or as a sub-contractor (see item 8).  The use of the past tense in this and the previous item ensures that complaints may be taken to the Privacy Commissioner under Part V of the Act about breaches by a contracted service provider of the Information Privacy Principles in relation to personal information held under or for the purposes of a Commonwealth contract even after the completion or termination of the contract.

ITEM 5

SUBSECTION 6(1) (paragraph (b) of the definition of 'eligible hearing service provider')

Item 5 amends the definition of 'eligible hearing service provider' consequential to the changes to the definition of agency. 

ITEM 6

SUBSECTION 6(1)

Item 6 inserts in subsection 6(1) a definition of 'excluded funded service' as a service specified in Schedule 3.  Schedule 3 lists a number of services that are not subject to the Privacy Act at present, such as services provided by organisations or individuals who receive funding assistance from the Commonwealth.  The effect is to ensure that this bill preserves the existing protections offered by the Privacy Act, without imposing new obligations in relation to services which have never been subject to it.  Provision is made to specify excluded funded services by regulation, so that the introduction of new funding programs is not delayed by the need to await legislative amendment of the Schedule.  Services may also be prescribed as no longer being excluded from the coverage of the Act.

ITEM 7

SUBSECTION 6(1)

Item 7 inserts in subsection 6(1) a definition of 'outsourcing agency' which covers any Commonwealth agency to which services are provided under a Commonwealth contract.

ITEM 8

SUBSECTION 6(1)

Item 8 inserts in subsection 6(1) a definition of 'subcontractor' which covers a person who, under a contract with a 'contracted service provider', is or was responsible for the provision of services other than 'excluded funded services' to a Commonwealth agency or to the contracted service provider for the purposes of a Commonwealth contract.  The definition is necessary to allow for the coverage of subcontractors as contracted service providers.  As the definition of 'contracted service provider' includes 'a subcontractor' (see item 4), the effect of this definition is to apply coverage to all subsequent subcontractors responsible for the provision of services (other than excluded funded services) for the purposes of the Commonwealth contract.

ITEM 9

AFTER SUBSECTION 6(4)

Item 9 inserts three new subsections into section 6.

New subsection (4A) is a drafting mechanism to ensure that references to a contracted service provider only refer to the contracted service provider acting in that capacity, and do not place obligations on them in relation to personal information held for the purposes of unrelated activities.

The obligations of the Privacy Act apply to the acts and practices of agencies.  New subsection (4B) in effect defines an act or practice by a contracted service provider to cover those acts or practices connected with the collection or possession of personal information under or for the purposes of the Commonwealth contract.  This ensures that the coverage of the Act extends only to the handling of personal information that is connected with the Commonwealth contract and not to other personal information held by the contracted service provider.  This subsection also makes it clear that the extension of the Act is not intended to cover the personnel records of the staff of contracted service providers.

The Privacy Act applies to government agencies of the Australian Capital Territory, by virtue of modifications contained in Schedule 3 to the Australian Capital Territory Government Service (Consequential Provisions) Act 1994.  The extension of coverage effected by this bill is not intended to apply to contractors providing services to Australian Capital Territory government agencies.  New subsection (4C) is necessary to ensure that courts of the Australian Capital Territory are not covered by the definition of Commonwealth agency.

ITEM 10

AFTER SECTION 6

Item 10 inserts a new section 6A to cover notional contracts between Commonwealth agencies or parts thereof under which services are provided by one agency, or part thereof, to another agency, or part thereof.  Technically, there may not be legal contractual relations in such circumstances.  The effect of this provision is to ensure that the outsourcing amendments apply to public sector agencies who provide services in the same way as they apply to private sector agencies.

ITEM 11

PARAGRAPH 7(1)(a)

Section 7 of the Act sets out the acts and practices that are covered by the various provisions of the Act.  Item 11 amends paragraph 7(1)(a) by deleting an eligible hearing service provider and an eligible case manager, currently excluded from the ambit of 'agency' for the purposes of the paragraph, as they are removed from the definition of agency by item 1.  Instead, a contracted service provider is excluded from the definition of agency for the purposes of that paragraph, and is provided for separately in paragraph 7(1)(cb) (see item 14). 

ITEM 12

AT THE END OF SUB-PARAGRAPHS 7(1)(a)(i), (ii) and (iii)

Item 12 amends section 7(1), in accordance with current drafting practices, to make it clear that the exclusions in each sub-paragraph are stated in the alternative.

ITEM 13

AT THE END OF PARAGRAPH 7(1)(a)

This item ensures that the acts and practices of a contracted service provider that it also a Commonwealth agency, in its capacity as a contracted service provider, are not covered by paragraph 7(1)(a), as they are dealt with separately in new paragraph 7(1)(cb), inserted by item 14.

ITEM 14

PARAGRAPHS 7(1)(cb) and (cc)

Item 14 removes paragraphs (cb) and (cc) which cover acts and practices by eligible case managers and eligible hearing service providers, consequent upon their removal from the definition of agency by Item 1.  New paragraph (cb) covers acts and practices by a contracted service provider other than exempt acts or practices as defined in the new section 7A (see item 18).  The effect of the provision is to add such acts and practices to the categories of acts and practices to which the Privacy Act applies.

ITEM 15

PARAGRAPHS 7(1)(d) and (e)

Item 15 amends paragraphs 7(1)(d) and (e) by substituting 'contracted service providers' for the service providers excluded from the definition of agency for the purposes of those paragraphs, consequent upon their removal from the definition of agency by item 1.   

ITEM 16

PARAGRAPHS 7(1)(ea), (eb), (ec) and (ed)

Item 16 replaces coverage of acts and practices of a Minister relating to eligible case managers (paragraphs 7(1)(ea) and (eb)) and to eligible hearing service providers (paragraphs 7(1)(ec) and (ed)) with coverage of acts and practices by a Minister relating to the affairs of a person in the capacity of contracted service provider (new paragraph (ea), or records relating to the affairs of such a person (new paragraph (eb).  This is consequential upon the removal of eligible case managers and eligible hearing service providers from the definition of agency by item 1.

ITEM 17

AT THE END OF PARAGRAPH 7(1)(f)

Item 17 amends paragraph 7(1)(f), in accordance with current drafting practice, to make it clear that the exclusions are stated in the alternative.

ITEM 18

AFTER SECTION 7

Item 18 inserts a new provision, section 7A, which exempts certain acts and practices from the coverage provided by section 7(1)(cb), as amended by item 14.  The effect of the provision is to apply to contracted service providers (including subcontractors) the same exemptions from the application of the Privacy Act as apply to the relevant outsourcing agency.

ITEM 19

AFTER SUBSECTION 8(1)

This item inserts a new subsection 8(1A) which equates the acts and practices of a person acting on behalf of, or at the request of, a contracted service provider, with those of an employee of the contracted service provider.  This ensures that the Act applies to the acts and practices of a person handling personal information for the contracted service provider in the absence of either an employee relationship or a contract.

ITEM 20

AFTER SUBSECTION 8

This item inserts new section 8A into the Act.  The new section is designed to ensure that individuals are not left without a remedy in circumstances where personal information is dealt with outside Australia.  In such circumstances, the effect of the section is that the outsourcing agency or the contracted service provider in Australia which made the personal information available overseas is responsible for any subsequent failure by a contracted service provider to comply with the Information Privacy Principles.

ITEM 21

SUBSECTION 9(1)

Item 21 extends the definition of collector to include not only those agencies that collect personal information but also those agencies that have control over the collection of personal information.  This ensures that where personal information is collected on behalf of an agency, in a manner determined by the agency, the agency remains responsible for ensuring that the collection is in accordance with the Information Privacy Principles.

ITEM 22

AFTER SECTION 14

Item 22 inserts a new provision, section 14A, which applies to the transfer of information between an outsourcing agency and a contracted service provider or between contracted service providers for the same Commonwealth contract.  The provision ensures that such transfers of information are governed by Information Privacy Principle 10, relating to the use of personal information, and not by Information Privacy Principle 11, relating to the disclosure of personal information.  This provision ensures that the transfer of information between agencies, their contractors and their subcontractors are treated in the same way as transfers within an agency.

ITEM 23

AT THE END OF SECTION 15

Item 23 amends section 15 to specify the application of the Information Privacy Principles to acts and practices of contracted service providers.  In accordance with the existing policy of section 15, Information Privacy Principles 1, 2, and 3, dealing with collection, apply from the commencement of this bill.  Information Privacy Principles 10 and 11, dealing with use and disclosure, apply, where the personal information was collected by a contracted service provider, to information collected after the commencement of this bill, and, where the personal information was collected by a Commonwealth agency, to information collected after the commencement of the Act.  Information Privacy Principles 4,  8 and 9, dealing with storage, accuracy and relevance to use of records, apply to all personal information in the possession of a contracted service provider regardless of when it was collected. 

Legislation to be introduced to amend the Freedom of Information Act 1982 will extend the coverage of that Act to personal information held by contracted service providers in relation to the Commonwealth contract, to provide the mechanisms by which effect is given to Information Privacy Principles 6 and 7, relating to access to, and alteration of, records containing personal information.  New subsection (7) therefore applies these Principles and related Principle 5, dealing with openness, to personal information included in a record, or a record transferred by the outsourcing agency to the contracted service provider, on or after a day to be notified by the Minister in the Gazette.  This day will be the commencement day of the proposed amendments to the Freedom of Information Act 1982.

New subsection (8) is a savings provision to preserve the existing coverage of an eligible case manager, an eligible hearing service provider and the nominated AGHS company despite their removal from the definition of agency by item 1.  The provision has the effect of preserving the application of the Act to these entities from the time they were first covered by the Act, notwithstanding the limitations upon its application to contracted service providers effected by the preceding subsections.

ITEM 24

AFTER SECTION 16

Item 24 inserts after section 16 a new provision, section 16A which excuses a contracted service provider from the obligations imposed by Information Privacy Principle 5  if an outsourcing agency for the Commonwealth contract has discharged those obligations in relation to that personal information.  This will allow outsourcing agencies to, for example, report to the Privacy Commissioner on personal information held by themselves and their contracted service providers, rather than each contracted service provider having to provide a separate report.

This item also inserts a new section 16B which deems the relevant outsourcing agency to have possession of a record in the possession or control of a contracted service provider for the purposes of Information Privacy Principles 6 and 7.  The effect of this provision is that the relevant agency will have responsibility for administering requests for access to and alteration of records.  Amendments to be introduced to the Freedom of Information Act 1982 will provide the mechanisms for handling such requests.

ITEM 25

AT THE END OF PARAGRAPHS 30(3)(a), (b) and (c)

Item 25 amends paragraphs 30(3)(a), (b) and (c), in accordance with current drafting practice, to make it clear that the subsections are not stated in the alternative.

ITEM 26

AFTER PARAGRAPH 30(3)(d)

Item 26 inserts new paragraph 30(3)(da).  The new paragraph maintains the accountability of outsourcing agencies by ensuring that they are aware of matters involving contracted services providers that are the subject of a report by the Privacy Commissioner under paragraph 30(1)(b). 

The new paragraph adds a requirement that when the Privacy Commissioner is providing such a report to the Minister (currently the Attorney-General), in relation to a contracted service provider, a copy of the report must be provided to each outsourcing agency for the Commonwealth contract.

ITEM 27

SUBSECTION 30(4)

This item amends paragraph 30(4)(d).  Consistently with the amendment inserted by the previous item, this amendment maintains the accountability of outsourcing agencies by ensuring that they are aware of matters involving contracted services providers that are the subject of a further report by the Privacy Commissioner under paragraph 30(4)(b). 

The amendment adds a requirement that when the Privacy Commissioner is providing such a report to the Minister (currently the Attorney-General) in relation to a contracted service provider, a copy of the report must be provided to each outsourcing agency for the Commonwealth contract.

ITEM 28

AFTER SUBSECTION 32(2)

New subsection 32(2A) adds a requirement that, where the Privacy Commissioner is providing a report to the Minister (currently the Attorney-General) as a result of monitoring an activity or conducting an audit or where the Privacy Commissioner is providing a further report, and the report relates to an act or practice engaged in by an individual in the capacity of a contracted service provider,  the Privacy Commissioner must provide a copy of the report to each outsourcing agency for the Commonwealth contract.

ITEM 29

AT THE END OF SECTION 36

This item inserts new subsection 36(8), which provides a safety net by giving the Privacy Commissioner the ability to allow a complainant to amend the complaint to ensure that the appropriate party is named.  This ensures that the individual complainant suffers no loss or delay as a result of making the wrong choice in specifying the respondent to their complaint because they are not aware that particular services are provided by a contracted service provider.

The new subsection gives the Privacy Commissioner power, after having made preliminary inquiries, to allow the complainant to amend the complaint to specify the contracted service provider as the respondent rather than the outsourcing agency or the principal of the outsourcing agency, if the Privacy Commissioner is satisfied as a result of those inquiries that the act or practice concerned was an act or practice of a contracted service provider not the outsourcing agency named in the complaint. 

ITEM 30

SECTION 37 (ITEMS 6, 7, 8, 9 AND 10 OF THE TABLE)

Item 30 removes references to eligible case managers, the nominated AGHS company and eligible hearing service providers, consequential upon their removal from the definition of agency by item 1.

ITEM 31

AFTER PARAGRAPH 42(b)

 Item 31 allows the Privacy Commissioner to make inquiries of the respondent in order to make a decision about whether the complainant should be allowed to amend the complaint to specify the contracted service provider as the respondent rather than the outsourcing agency, or the principal of the outsourcing agency, under new subsection 36(8).

This provision is necessary for the operation of the amendment to section 36 inserted by the item 29.

ITEM 32

AFTER SUBSECTION 43(1)

This item inserts new subsection 43(1A), which facilitates the accountability of contracted service providers to outsourcing agencies by requiring the Privacy Commissioner to inform each outsourcing agency for the Commonwealth contract of the investigation of a matter to which a complaint relates where a contracted service provider is the respondent.

ITEM 33

AFTER SECTION 48

Section 48 requires the Privacy Commissioner to inform the complainant and the respondent of, and the reasons for, a decision not to investigate, or not to investigate further, a matter to which a complaint relates.

This item adds new section 48A, which also requires the Privacy Commissioner to inform each outsourcing agency that the Privacy Commissioner considers it appropriate to inform of, and the reasons for, such a decision regarding a complaint to which a contracted service provider is a respondent. 

New subsection 48A also allows the Privacy Commissioner, after consultation with any such outsourcing agency concerned, to recommend, in writing, to the outsourcing agency any measures the Privacy Commissioner considers appropriate.  New subsection 48A(3) requires the outsourcing agency to inform the Privacy Commissioner of any action that is proposed concerning the recommendation within 60 days of receiving the recommendation.

ITEM 34

AFTER SECTION 50

This item inserts new section 50A, which applies if at any time after the complaint is made but before the Privacy Commissioner has made a determination the contracted service provider is not available or appropriate as respondent for one of the reasons specified. 

The new section ensures that an individual complainant does not suffer loss in the event that the respondent contracted service provider has ceased to exist, become insolvent, commenced to be wound up or for other similar reasons. 

Should the Privacy Commissioner consider it appropriate to do so, the amendment allows the Privacy Commissioner to amend a complaint to substitute the outsourcing agency, or the principal executive of the outsourcing agency, for the contracted service provider as respondent to the complaint. 

Before the Privacy Commissioner amends a complaint in this way he or she is required to give the outsourcing agency a notice informing the outsourcing agency of the proposed amendment to the complaint and giving reasons for the proposed amendment.  The Privacy Commissioner must then provide the outsourcing agency an opportunity to make oral and/or written submissions to the Privacy Commissioner concerning the proposed amendment.

If the Privacy Commissioner has already started investigating a complaint before it is amended to substitute the outsourcing agency for the contracted service provider, the Privacy Commissioner is taken to have informed the outsourcing agency that the matter is to be investigated, to satisfy the requirements of subsection 43(1).

ITEM 35

AFTER SECTION 52

Item 35 inserts new section 52A, which applies if at any time after a determination has been made but before the contracted service provider has paid the complainant the whole or part of the amount specified in relation to compensation or costs in the determination, the contracted service provider is not able to provide compensation or pay costs awarded, in the same circumstances as specified in the previous item.

The amendment ensures that an individual complainant does not suffer loss in the event that the respondent contracted service provider is not able to provide compensation or pay costs awarded, for one of the reasons specified.

The new section allows the Privacy Commissioner to make a determination in writing that a specified outsourcing agency is taken to be the respondent in relation to a determination that includes a declaration that the complainant is entitled to compensation, or reimbursement of expenses, if the respondent contracted service provider is not able to provide compensation or pay costs awarded for one of the reasons specified, and the complainant has not been paid part or all of the amount specified.  Before the Privacy Commissioner makes such a determination the Privacy Commissioner must consider it is reasonable to do so. 

This provision has the effect of making the determination against the contracted service provider, as respondent, recoverable as a debt due by the outsourcing agency if they have the capacity to sue and be sued and in all other cases as a debt due by the Commonwealth.

Before the Privacy Commissioner makes such a determination the Privacy Commissioner is required to give the outsourcing agency a notice informing the outsourcing agency of the proposed determination and giving reasons for the proposal.  The Privacy Commissioner must then provide the outsourcing agency an opportunity to make oral and/or written submissions to the Privacy Commissioner concerning the proposed determination.

ITEM 36

AFTER SECTION 53

Similarly to the amendment inserted by item 33, new section 53A adds a requirement that, should the Privacy Commissioner make a determination to which a contracted service provider is the respondent, the Privacy Commissioner must provide a copy of the determination to each outsourcing agency to which the Privacy Commissioner considers it appropriate to provide the determination.

After consultation with any such outsourcing agency, the Privacy Commissioner may recommend to the outsourcing agency any measures the Privacy Commissioner considers appropriate.  Within 60 days of receiving the recommendation the outsourcing agency must inform the Privacy Commissioner of any action that is proposed concerning the recommendation.

ITEM 37

SUBSECTION 54(2) (DEFINITION OF AGENCY)

The Act contains separate enforcement mechanisms depending upon whether the subject of a determination is a private or public sector body.  This reflects the decision of the High Court in Brandy v Human Rights and Equal Opportunity Commission  (1995) 183 CLR 245.  Part V Division 3 of the Act currently contains the enforcement mechanisms for private sector bodies, such as eligible case managers.  The amendment applies the mechanisms of the Division to determinations to which contracted service providers are respondents, and removes references to eligible case managers, the AGHS company and eligible hearing service providers, consequential upon their removal from the definition of agency by item 1.

ITEM 38

SUBSECTION 57(2) (DEFINITION OF AGENCY)

Part V Division 4 of the Act provides the enforcement mechanisms where public sector bodies are respondents to determinations.  The amendment ensures that the Division does not apply to determinations to which contracted service providers are respondents, and removes references to eligible case managers, the AGHS company and eligible hearing service providers, consequential upon their removal from the definition of agency by item 1.

ITEM 39

AT THE END OF THE ACT

Item 39 adds a new schedule 3 which itemises the excluded funded services.  The addition of the schedule is consequential to the new definition of excluded funded service in section 6(1).  Services listed in the schedule are not brought within the coverage of the Privacy Act by the amendments made by this bill.

The services listed are excluded from coverage because they have traditionally been provided by the private sector, and/or are delivered by community based or voluntary organisations with funding support from the Commonwealth, and have not previously been covered by the Privacy Act.  Coverage of these services would be a significant extension of the Act, unrelated to preserving the existing protections it offers.

Schedule 2 - Consequential amendment of other Acts

Disability Discrimination Act 1992

ITEM 1

The amendment to the definition of 'Commonwealth agency' brings the definition in the Disability Discrimination Act 1992 in line with the new definition of 'Commonwealth agency' in the Privacy Act.  The Disability Discrimination Act uses the term 'Commonwealth agency' in relation to its damages, review and enforcement provisions.  Traditionally, the definition of 'agency' in the Privacy Act has not included private sector bodies.  Amendments, including the amendments made by this Act, have expanded the definition of 'agency' in the Privacy Act to include private sector bodies.  The new definition of 'Commonwealth agency' in the Privacy Act does not include private sector bodies.  Because it is necessary  to continue to exclude private sector bodies from the definition of 'Commonwealth agency' in the Disability Discrimination Act to avoid difficulties with the enforceability of determinations, the definition of 'Commonwealth agency' is amended as provided in this item. 

Racial Discrimination Act 1975

ITEM 2

The amendment to the definition of 'Commonwealth agency' brings the definition in the Racial Discrimination Act 1975 in line with the new definition of 'Commonwealth agency' in the Privacy Act.  The Racial Discrimination Act uses the term 'Commonwealth agency' in relation to its damages, review and enforcement provisions.  Traditionally, the definition of 'agency' in the Privacy Act has not included private sector bodies.  Amendments, including the amendments made by this Act, have expanded the definition of 'agency' in the Privacy Act to include private sector bodies.  The new definition of 'Commonwealth agency' in the Privacy Act does not include private sector bodies.  Because it is necessary  to continue to exclude private sector bodies from the definition of 'Commonwealth agency' in the Racial Discrimination Act to avoid difficulties with the enforceability of determinations, the definition of 'Commonwealth agency' is amended as provided in this item.

Sex Discrimination Act 1984

ITEM 3

The amendment to the definition of 'Commonwealth agency' brings the definition in the Sex Discrimination Act 1984 in line with the new definition of 'Commonwealth agency' in the Privacy Act.  The Sex Discrimination Act uses the term 'Commonwealth agency' in relation to its damages, review and enforcement provisions.  Traditionally, the definition of 'agency' in the Privacy Act has not included private sector bodies.  Amendments, including the amendments made by this Act, have expanded the definition of 'agency' in the Privacy Act to include private sector bodies.  The new definition of 'Commonwealth agency' in the Privacy Act does not include private sector bodies.  Because it is necessary  to continue to exclude private sector bodies from the definition of 'Commonwealth agency' in the Sex Discrimination Act to avoid difficulties with the enforceability of determinations, the definition of 'Commonwealth agency' is amended as provided in this item.

24

24