Outsourcing – An easy way to comply with the Notifiable Data Breach scheme?

The Privacy Act 1988 (Privacy Act) has always required organisations which are bound by the Privacy Act (‘APP Entities’) to take reasonable steps to keep personal information (Personal Information) secure.

However, the newly introduced Notifiable Data Breaches (NDB) scheme has added a further obligation for APP Entities to notify the Office of the Australian Information Commissioner (OAIC) of data breaches involving personal information (see our previous article here for more information).

The June 2018 quarter was the first full quarter of the NDB scheme, and the statistics are sobering. According to figures published by the OAIC, there were 242 notifications in the June 2018 quarter, showing that the NDB scheme is gaining traction as organisations implement appropriate procedures to detect, assess and deal with data breaches (see our summary here for more information about how to prepare for the NDB scheme).

Given the complexity of IT security, and with so much at stake, many organisations are outsourcing their IT requirements rather than attempting to manage everything in-house. While that may make good business sense, APP Entities should be aware that outsourcing does not mean they are absolved from responsibility under the Privacy Act. The NDB scheme applies whether an eligible data breach happens to the APP Entity itself, or to a contractor engaged by the APP Entity.

Contractors may not always have privacy policies and practices in place that meet the standards required by the Privacy Act. If the contractor is itself not an APP Entity, the NDB scheme would not apply to it, meaning that the contractor would not be under any statutory obligation to disclose data breaches. This could mean an organisation could suffer a data breach and not even know about it.

Organisations that are APP Entities should therefore check that their contractor agreements align with the organisation’s own data breach response plan. The agreements should cover issues such as:

• The extent to which the contractor is obliged to comply with the Australian Privacy Principles;
• What security standards the contractor is obliged to meet, and how the contractor monitors for data breaches;
• When, what and how the contractor must tell the organisation about any data breaches that are detected; and
• What role the contractor is expected to play in assessing and containing the effects of any data breach (and at whose cost).

Because the Personal Information involved in any data breach is likely to relate to the organisation’s customers or personnel, the organisation should also ensure that it retains control over the process of notifying the OAIC and any affected individuals (where applicable). The contractor should also be obliged to cooperate in investigating the cause of the breach and making any necessary changes to fix underlying security issues.

Organisations should also keep in mind that these issues apply to all contractors who might collect or handle Personal Information on their behalf – not just IT companies. The figures released by the OAIC show that the industry sectors that made the most notifications in the last quarter were health, finance, legal and accounting, education, and business and professional associations. The IT sector was not in the top 5.

This article was written by Bill Singleton, Partner and Kay Lam-MacLeod, Special Counsel.