• Introduction
• Overview
• NPPs & codes
• Complying
• Legislation & links
• Industries
  • Credit providers
  • Government work
    • Contractors
    • Federal regulation
    • Checklist
  • Health
  • Insurance
  • Media
  • Superannuation
  • Telecommunications
  • Telemarketing
• News
• Contacts
• Glossary

Contractors

• How do the IPPs and NPPs operate together in Commonwealth contracting? 
• Special rules when contracting with federal government agencies

How do the IPPs and NPPs operate together in Commonwealth contracting? 

Information handling obligations set out in a Commonwealth contract must be consistent with the obligations imposed by the IPPs applicable to a federal government agency. Government agencies require contractors to maintain the same standard of privacy protection to which the agencies are subject.

The NPPs or an approved privacy code only apply to an organisation where they are not inconsistent with the Commonwealth contract, or where the contract is silent - the primary privacy obligations of a Commonwealth contractor are those in the contract. 

Other than under the relevant Commonwealth contract, contractors are bound by the NPPs to the extent they fall within the privacy legislation. 

Contractors will not be considered to have breached the NPPs or applicable code if their activities are:

• done for the purpose of meeting the contractual obligations, either directly or indirectly; or 
• authorised by a provision of the contract that is inconsistent with the NPPs or an applicable code. 

As the IPPs are not identical to the NPPs, in some cases organisations have to meet a higher standard under the NPPs than under the Commonwealth contract.

This means that information may be subject to different thresholds of privacy protection depending on whether the information is held by a contractor (contract and NPPs) or a government agency (IPPs). 

Special rules when contracting with federal government agencies 

Special rules apply to contracted service providers working under a Commonwealth contract.

Requests for information

Individuals can ask a party to a Commonwealth contract (either an agency or a contracted service provider) for information on the provisions of the contract that are inconsistent with an applicable code or NPP. 

The disclosure requirement in relation to privacy provisions in a Commonwealth contract is an attempt to improve public awareness of the applicable privacy standards.

Small business

Small business operators are generally exempt from compliance with the NPPs.

However, where a small business operator is contracting with a government agency under a Commonwealth contract it is subject to the legislation in respect of the performance of the contract.

Essentially a small business need only comply with the new legislation in relation to its activities undertaken for the purposes of a Commonwealth contract (assuming that it's otherwise exempt).

Direct marketing

Organisations contracting with government are expressly prohibited from using or disclosing information obtained under a Commonwealth contract for direct marketing purposes unless the use or disclosure is a necessary part of the performance of the contract.

This prohibition overrides the relevant provisions in NPPs or approved industry codes.

Complaints

Specific provisions are aimed at ensuring the complaints mechanism operates effectively where a complaint is made about an act or practice of an organisation contracting with government in relation to the Commonwealth contract.

If a contracted service provider is bound by an approved privacy code instead of the NPPs, then complaints will usually be made to the relevant adjudicator under that code. However, where the act or practice complained of is undertaken by a contracted service provider for the purposes of meeting its contractual obligations, the adjudicator investigating the complaint must immediately refer it to the Privacy Commissioner.

Where a remedy cannot be obtained from a contracted service provider because it is insolvent or being wound up or in certain other circumstances, the Privacy Commissioner is permitted to substitute the agency for the contractor. The inclusion of this section is intended to ensure that ultimate responsibility for the acts and practices of contracted service providers remains with the agency.

Complaints about the acts and practices of contracted service providers under a Commonwealth contract in relation to personal information held under or for the purposes of the contract may be taken to the Privacy Commissioner even after the completion or termination of the contract.