The PRIS Act covers public sector agencies, such as Departments, Local Councils, Police, and other bodies and persons carrying out public functions. But did you know it may also extend to private businesses?
Mirroring the equivalent Victorian legislation, the Information Privacy Principles (IPPs) under the Privacy and Responsible Information Sharing (PRIS) Act may apply to private businesses that have been engaged by a public sector agency (contracted service provider) but only in relation to the provision of services under the State services contract.
This means private businesses will be bound by the IPPs in the same way and to the same extent as the public sector agency – providing the following factors are relevant to the contractual arrangement:
- the contracted service provider is providing services under a State services contract;
- the contract contains a clause specifying that the contracted service provider will be directly bound by the IPPs; and
- the relevant act or practice was undertaken by the contracted service provider for the purposes of the State services contract.
But wait there’s more…under the PRIS Act the meaning of contracted service provider extends beyond the party to a State services contract who provides services to the public sector agency, and includes subcontractors of the contracted service provider whether engaged directly or indirectly.
So what does the State services contract need to include?
Simply put, the State services contract must include a provision which gives effect to section 129 of the PRIS Act.
If there is no such clause, the public sector agency will be responsible for any failure by the contracted service provider to comply with the IPPs.
What does all this mean for private businesses?
The PRIS Act confirms that if a section 129 clause is present in a State services contract that contracted service providers will be classified as IPP Entities for the purpose of the State services contract to the extent they are handling personal information.
If contractually bound as discussed above, the obligations on contracted service providers are primarily set out under Part 2, Division 11 of the PRIS Bill:
The PRIS Act provides that contracted service providers may be liable for any failure to comply with the applicable obligations imposed by the PRIS Act in the performance of its functions under a State services contract.
What does all this mean for public sector organisations?
Public sector entities should consider amending their template service provider contracts to include a clause that appropriately activates section 129 to ensure contracted service providers are accountable for their obligations under the PRIS Act.
Without such a clause, enforcement action may be taken against the public sector agency even if it relates to a breach by a contracted service provider.
Our team are well known for our expert experience with privacy legislation, government contracts and information sharing agreements. Contact us for more information as to how the PRIS Act may impact you.