Another important aspect of performance accountability in the delivery of public services by the private sector is the question of privacy. All Commonwealth agencies are subject to the Privacy Act 1998, which contains a number of Information Privacy Principles (IPPs) that provide for the security and storage of personal information. The IPPs state that if a record is to be given to a service provider, the recordkeeper (ie the agency) must do everything reasonably within its power to prevent unauthorised use or disclosure of information contained in the record.
In the past, the obligations that apply to Commonwealth agencies under the Privacy Act have not applied to private sector organisations. However, the Privacy Amendment (Private Sector) Act 2000 was introduced in December 2000 to provide privacy protection for personal records across the private sector, including those organisations providing outsourced services to the public sector. A key provision of the Act is the inclusion of ten 'National Privacy Principles for the Fair Handling of Personal Information'. This legislation is likely to have a marked impact on the private sector's involvement in the delivery of public services.118
The Act enables a contract between a Commonwealth agency and the private sector supplier to be the primary source of the contractor's privacy obligations regarding personal records. The contractual clauses must be consistent with the IPPs that apply to the agency itself, and details of these privacy clauses must be released on request. Section 95B of the Act requires agencies to consider their own obligations when entering into Commonwealth contracts and obliges them to take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an Information Privacy Principle if done by the agency. The obligation on the agency extends to ensuring that such an act or practice is not authorised by a subcontract. Under the Privacy Act as currently constituted, privacy monitoring of outsourcing arrangements falls into two stages:
● assessing the privacy control environment, particularly by ensuring that outsourcing arrangements are governed by contracts that contain appropriate privacy clauses; and
● monitoring the actual implementation of the controls, particularly by monitoring compliance with the contractual clauses.119
In practice, to date, feedback from outsourcing agencies and contractors suggests that few, if any, complaints have arisen in relation to privacy breaches associated with outsourcing contracts.120 However, as the private sector becomes more and more involved in the delivery of public services, it is important that there is clear accountability for the protection of personal information contained in records gathered by either the public or private party in the delivery of those services. The expectation that agencies cannot outsource accountability suggests that public sector agencies should remain responsible and accountable for ensuring the private sector parties adhere to any contractual obligations relating to the requirements of the Privacy Act. Indeed, the ANAO's audit of the Commonwealth Government's IT outsourcing initiative recommended that, in implementing IT outsourcing arrangements, agencies develop a specific strategy for monitoring external service providers' compliance with contractual privacy obligations.121 Both the whole-of-government response to the audit and the Privacy Commissioner agreed with that recommendation, with the Privacy Commissioner commenting:
If contractual clauses are to deliver effective privacy protection there needs to be a mechanism in place to ensure that both parties meet their privacy obligations.122