The Privacy and Data Protection Act 2014 (the Privacy Act) came into effect on 17 September 2014. The Privacy Act replaced the Information Privacy Act 2000 and the Commissioner for Law Enforcement Security Act 2005 with a single Act that is intended to strengthen the protection of personal information and other data held by the Victorian public sector.
The Privacy Act aims to increase public confidence in government's ability to protect and manage the personal information that it collects and stores, and applies to contractors to government (referred to in the Act as 'contracted service providers') as well as government organisations.
The Privacy Act does this by re-enacting the 10 Information Privacy Principles (the IPPs) which were enforceable from 1 September 2002 and attract penalties for non-compliance. The list of IPPs and further relevant information can be obtained on the Commissioner for Privacy and Data Protection website <https://www.cpdp.vic.gov.au>.
Within the Partnerships Victoria context, consideration needs to be given to the sort of information collected and stored in relation to the project services. The application of the Privacy Act is only relevant where either or both the parties to the contract collect and store personal information (including 'sensitive information') about individuals. If the Privacy Act is relevant to the project, then the compliance obligations required by the Act need to be satisfied and incorporated into the government party's information management plan, compliance program and project contracts. Separate legal advice should also be obtained from within the government party in relation to its IP Act compliance program.
Section 17 of the Act provides that a government organisation will be responsible for any breaches by a contracted services provider of the IPPs or an applicable code of practice unless two conditions are satisfied:
1. The government contract provides that the contracted service provider will be bound by the IPPs or any applicable code of practice in the same way that it would apply to the government organisation.
2. The IPPs or applicable code of practice is capable of being enforced against the contracted service provider.
In order to ensure that the contracted service provider is held responsible for breaches of the IPPs, a provision calling on the protection of limited indemnity in s. 17 of the Privacy Act should be inserted into the project contract. This is the case whether or not the private sector party is also bound by the national privacy principles in the Privacy Act 1988 (Cwlth).
A government party can also be liable for breaches of the IPPs by subcontractors of a private party. The contract between the government party and the private party should therefore prohibit subcontracting by the private party unless the government party consents, or the subcontract includes a pre-agreed clause that applies the Privacy Act to the subcontractor.
By including these clauses in the contract, the government party binds the contracted service provider and any later subcontractor to the IPPs in the same way and to the same extent as the government party is bound. A separate contractual financial indemnity owed by the private party to the government party should also be included to support the non-compliance indemnity provided for by s. 17 of the Privacy Act.
As in the Privacy Act, the Health Records Act 2001 establishes standards called Health Privacy Principles (HPPs) for the collection, handling and disposal of health information in the public and private sectors. For further details, visit the Department of Health and Human Services website <https://www2.health.vic.gov.au/about/legislation/health-records-act>.