Federal Government Clients and Privacy
This is fairly straightforward. If you are providing services that involve the handling of personal information for a federal government agency, the Privacy Act 1988 applies to you. This means you must comply with all 12 Australian Privacy Principles and have appropriate privacy policies, collection notices, handling procedures, and security systems.
By the way, if your federal government client is giving you the details of their employees, you are handling personal information. They don’t benefit from an employee records exemption.
NSW Government Clients and Privacy
Of all the archaic and bizarre definitions in privacy law, my favourite has to be the definition of public sector agency in the NSW Privacy and Personal Information Protection Act 1988. The words seem clear as day, a public sector agency is some kind of government body right? Wrong.
Subsection (g) of that definition includes:
“a person or body that—
provides data services (being services relating to the collection, processing, disclosure or use of personal information or that provide for access to such information) for or on behalf of a body referred to in paragraph (a)–(f) of this definition, or that receives funding from any such body in connection with providing data services,”
Data services only means IT companies right? Read that again.
Services relating to the… use of personal information. Data services in NSW now includes marketing firms, research groups, admin support services, community outreach programs, unincorporated entities and not for profits providing community services. If you receive funding from a State or Local Government agency to do something for them, chances are you just became a public sector agency under the NSW privacy legislation. This may also include sub-contractors.
Does your privacy policy template cover that? Under your standard form services agreement who has the notification obligations if a breach occurs? Who pays for the legal costs in the event of a malicious attack given the fact you are made a more desirable target because of the client?
Oh, and please note that there is no limitation of regulation to just the work you do for that body, there is only the exclusion from regulation by the federal Privacy Act 1988 for that work under s. 7B(5). This means your actions could conceivably be complained about by an individual that has no connection with your work for the State or Local Government body.
If you have government clients, or are subcontracted by bigger organisations for their government clients, you really need to consider your privacy policy, collection notices, privacy management plan, and social media policies especially. You also need some competent review of your contracts and agreements.
This area of law bears very close attention, the current reforms tabled in Bill to Parliament 26 October 2022 by the Attorney General, the Hon Mark Dreyfus KC MP, proposes fines for corporations up to 30% of a company’s revenue or $50 million, whichever is higher. Individuals and sole traders will also get hit with $2.5 million fines. The second round of reforms to be tabled in 2023 include a reduction of the Small Business Operator turnover exemption from $3 million to just $500,000.00 annually.
In addition, the compensation awards in state Tribunal decisions are among the highest those tribunals can award. This is getting very expensive to ignore.
Contact our office today to discuss your likely obligations and our privacy review services.
This article is not legal advice, and the views and comments are of a general nature only. This article is not to be relied upon in substitution for detailed legal advice.
Comments