Personal information is defined in the Privacy Act (Cth) 1988 (Privacy Act) to mean information or an opinion about:
• an identified individual or
• an individual who is reasonably identifiable
Whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.
Contracts will contain provisions that prevent the supplier from collecting, using, storing, transferring or divulging personal information in a way that is contrary to the provisions of the contract or the Privacy Act. These provisions will usually require the supplier to provide the Commonwealth with a copy of the supplier's and any sub contractor's privacy policy, security and data protection policy and any processes implemented by the supplier and the subcontractor(s) to comply with the Privacy Act. Even if a supplier is not covered by the Privacy Act (for example, because its turnover does not meet the threshold), the supplier will be required to comply with the relevant provisions of the contract.
When managing a contract, it is vital that you are familiar with the specific provisions in your contract that relate to protection of personal information and data breaches. These provisions can be complex, and routinely refer to provisions of the Privacy Act, so it is advisable to seek legal advice if any issues arise.
You must have proper processes and procedures in place to request, receive and review the supplier's and subcontractor's policies and processes if the provisions of the contract require this. You may need to take specialist advice on whether these policies and procedures are adequate to protect against privacy and data risks, and decide how to manage any risks that arise in this area.