"But I Outsourced That!" – Why You’re Still on The Hook Under The Privacy Act

Written By Caroline carver

Think outsourcing means you’ve handed over the responsibility for personal information? Think again.

Under the Privacy Act, even if you outsource operations to a third party, your organisation remains accountable for the personal information they access and manage on your behalf.

What does this mean in practice?

  • Deciding what information they should collect – your responsibility

  • Determining how it should be collected – your responsibility

  • Providing a privacy notice – your responsibility

  • Ensuring it’s secure – your responsibility

  • …and the list goes on.

Section 11 of the Privacy Act specifies that it’s not considered a disclosure or use when a third party manages your organisation’s personal information solely for your purposes, making them a processor.

However, this changes if the third party can use that information for their own purposes shifting them from processor to controller. For example, allowing a third party to use your organisation’s personal information to train their AI model for the benefit of all their customers.

The OPC has a great flow diagram outlining responsibilities when third parties are involved and advice about Working with third-party providers.

When a third party is acting as your processor, you’ll want contractual safeguards to ensure they handle personal information in line with your standards. These often include clauses on:

  • Limits on how the information can be used

  • Confidentiality

  • Security controls

  • Breach notification

  • Assistance with access and correction requests

  • Retention and disposal

  • Audit rights

  • Subcontracting

With the upcoming IPP3A (indirect collection) changes, many organisations are reviewing their third-party relationships. If the third party acts solely as your processor, transferring information to them is neither a collection nor a disclosure so IPP3A doesn’t apply.

That said, contract reviews are the perfect opportunity to ensure all the right clauses are there to protect your organisation and the people whose information you hold.

Caroline carver
Previous

The Biometric Code is Out!! – Is Your Organisation Ready?
Next

𝐀𝐫𝐞 T𝐡𝐞𝐲 a C𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐞𝐫 O𝐫 a P𝐫𝐨𝐜𝐞𝐬𝐬𝐨𝐫?