• Specific Year
    Any

Rawlings, Jane --- "Outsourcing under the amended Privacy Act 1988" [2001] PrivLawPRpr 17; (2001) 7(10) Privacy Law and Policy Reporter 200

[1] Credit providers and credit reporting agencies are regulated by Pt 3A of the Privacy Act 1988 (Cth) and the Credit Reporting Code of Conduct, which together apply privacy principles to the specialised area of consumer credit reporting. These provisions together cast primary liability for compliance on credit providers and the credit reporting agencies themselves, not upon their agents, including providers of outsourced IT services required to operate either a credit reporting agency or to support credit provision services.

[2] These do not address issues such as who should adopt the principles, mechanisms for complaints, compliance and disputes, personal information of employees (although this is now the subject of an exemption in the Privacy Act 1998 as amended) and transitional issues as to whether the principles applied to personal infor-mation collected before the principles were implemented.

[3] The emerging de facto benchmark of privacy legislation worldwide is not the OECD Data Privacy Principles but Directive 95/9/EC of the European Parliament and of the Council of Europe of 24 October 1995 on the Protection of Individuals with Respect to the Processing of Personal Data (the ‘Data Protection Directive’). The Data Protection Directive imposes the primary obligation for compliance with data protection principles on the controller of personal data; that is, the entity which alone or jointly determines the purposes and means of processing personal data (or which is designated as such by national or European community laws or regulations). However, the Data Protection Directive also recognises the concept of a ‘processor’ of personal data which processes personal data on behalf of the controller but is not a controller in their own right; art 2(e) of the Data Protection Directive. Articles 10 and 11 relate to the information that must be provided when personal data is collected from a data subject and where personal data has not been collected directly from the data subject. Both refer to the controller and to the concept of a controller’s ‘representative’, which does suggest the notion of agency on behalf of a data controller such as the activities of, say, an outsourced business function service provider. However art 17 makes it clear that where an outsourcing service provider acts purely as a processor then the only obligations that can be placed on them are the obligation to act only on instructions from the controller and the obligations under art 17(1) concerning security (which may be further defined by the laws of the member state in which the processor is established) that are also placed upon the processor. Article 17(1) requires the controller (and hence the processor of personal data) ‘to implement appropriate technical and organisational measures to protect personal data against accidental or unlawful distraction or accidental loss, alteration, unauthorised disclosure or access .... and against all other unlawful forms of processing’. No such protection appears to have been allowed for outsourcing service providers in Australia who act only as a ‘processor’ rather than as processor and controller as those terms are understood under the Data Protection Directive.

[4] The IIA Code contains a permission based ‘opt in’ approach to consent for the purposes of direct marketing.

[5] The ADMA Code operates an ‘opt out’ approach to the use of personal information in direct marketing.

[6] This borrows the wording of art 17(1) of the Data Protection Directive. NPP 4 refers to ‘reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure’: NPP 4.1. Higher security standards than NPP 4 may be commercially appropriate in light of the activities concerned. NPP 4 does not set a particularly demanding standard when judged against other international standards of data security. A higher standard may also be required by legislation or code of conduct.

[7] Privacy Advisory Committee ‘Outsourcing and privacy: advice for Commonwealth agencies considering contracting (outsourcing) out information technology and other functions’ August 1994; available at <www.privacy.gov.au /public/index.html>.

[8] This is, of course, a high level and general drafting guide. Careful consideration must be given to the particular risk to privacy and personal information posed by the nature of the IT service or business function that has been outsourced.

[9] This statement flows from the service provider’s obligation to comply with the NPPs even when simply providing contractual ‘processing’ services. This requires both parties to include the customer’s privacy standards for compliance with privacy law and to deal with any inconsistencies within the contract.

[10] One practical solution is for a third party to maintain ‘opt out’ or ‘opt in’ lists which must be consulted before, for example, conducting a new marketing campaign.

Download

No downloadable files available