Allens Arthur Robinson

• Introduction
• Overview
• NPPs & codes
• Complying
• Legislation & links
• Industries
  • Credit providers
  • Government work
    • Contractors
    • Federal regulation
    • Checklist
  • Health
  • Insurance
  • Media
  • Superannuation
  • Telecommunications
  • Telemarketing
• News
• Our team
• Glossary
• Publications

Federal regulation

This is a brief summary of some of the major aspects of the existing regulation of the public sector.

The Commonwealth Privacy Act 1988 regulates the handling of private information by the Federal and ACT public sector. It:

• binds the Federal public sector and ACT agencies and departments;
• sets out the Federal Privacy Commissioner's roles and responsibilities;
• establishes Information Privacy Principles (IPPs) to regulate the handling of personal information by Federal Government agencies; and
• only protects information privacy - surveillance and other forms of physical intrusion are not covered. 

The IPPs in the Privacy Act do not apply to a contracted service provider (a contractor).

• What are the agency's obligations under the IPPs?
• Contractual obligations
• Clauses for inclusion in contracts

What are the agency's obligations under the IPPs?

The IPPs ensure that Commonwealth and ACT agencies (and any other bodies that are subject to the Privacy Act):

• collect information for lawful purposes and by fair means;
• inform individuals when information is collected;
• protect personal information against misuse by reasonable security safeguards;
• take reasonable steps to keep personal information accurate, up-to-date and complete;
• use and disclose personal information only for the purposes for which it was collected 

Contractual obligations

The agency must ensure its contractors meet the same obligations as the agency would have to under the IPPs. This is done through contractual obligations.

An agency entering into a Commonwealth contract must take contractual measures to ensure:

• that the contractor does not do an act or engage in a practice that would breach an IPP if done or engaged in by the agency;
• that the Commonwealth contract does not authorise a contractor to engage in any such act or practice; and
• that the contract contains provisions to ensure any such act or practice is not authorised by subcontract. 

These obligations reflect one of the overall objectives of the Private Sector Act, which is to ensure that information is subject to the same - or a higher - degree of privacy protection when it is in the hands of the contractor as it would have been had it remained with the government agency.

Clauses for inclusion in contracts

The Privacy Commissioner has recommended a number of clauses for inclusion in contracts for Information Technology and other services. Examples include clauses which oblige the contractor to do such things as: 

• protect the personal information it holds in connection with the contract;
• use the information only for purposes set out in the contract;
• notify the agency if any of the privacy clauses have been breached;
• not transfer any personal information outside Australia without approval from the agency