FOIREQ19/00252 001
Commissioner brief: OAIC regulation of privacy matters
relating to offshore contracts
Key points
Under the Privacy Act 1988 (Privacy Act), DIBP (now Home Affairs) has a number of
privacy obligations in regard to its contracted service providers (CSPs).
In 2016, the OAIC assessed DIBP’s contract management in relation to privacy
matters for the CSPs operating at its regional processing centres (RPCs). Specifically,
whether DIBP met its obligations under APP 1.2 (Open and transparent management
of personal information) and APP 11 (Security of personal information), and s 95B of
the Privacy Act.
At that time, the OAIC found that DIBP did not have in place adequate formal policies
for engaging DIBP’s privacy staff and that contractual terms did not adequately
safeguard personal information that may be held by the CSPs.
The OAIC recommended that DIBP include additional provisions relating to privacy
and information security in its contracts for services in its RPCs, its contracts for
services in its RPCs should include specific categories for reporting privacy and
information security complaints and breaches, and that it establish a program of
audits to assure itself that its CSPs are meeting their obligations with regard to
privacy and information security.
The OAIC made four recommendations, and DIBP accepted these recommendations.
Application of Privacy Act to DIBP’s offshore contractors
In addition to its requirements under APP 1.2 and 11.1 (with regard to CSPs), s 95B of
the Privacy Act requires DIBP to take contractual measures, in any Commonwealth
contract that it enters into, to ensure that a CSP does not do an act or engage in a
practice that would breach an APP if done or engaged in by DIBP. DIBP must also
ensure that its Commonwealth contracts do not authorise a CSP to do or engage in
such an act or practice, and to ensure that such an act or practice is not authorised
by a subcontract.
These requirements are related to the APPs —for instance, the reasonable steps to
secure personal information, as required under APP 11, may include the use of
appropriate contractual measures.
DIBP assessment: ‘Assessment of contractual provisions for services in regional processing centre’
In September 2016, the OAIC assessed DIBP’s privacy obligations in relation to its
contracts with CSPs for services related to DIBP's RPCs on Manus Island and Nauru.
Specifically, the assessment considered whether DIBP was meeting its privacy
obligations under APP 1.2 and APP 11.
Page 1 of 4
FOIREQ19/00252 002
As the focus of the assessment was on DIBP’s contracts for services related to its
RPCs, the OAIC also had regard to DIBP’s obligations under s 95B of the Privacy Act.
The scope of the assessment did not consider broader procurement and contract
management issues in relation to these RPCs. The OAIC is aware that these matters
were considered by concurrent audits of the Nauru and Manus Island RPCs by the
Australian National Audit Office.
The OAIC published this report in March 2018 (https://www.oaic.gov.au/privacy-
law/assessments/assessment-of-contractual-provisions-for-services-in-regional-
processing-centres-department-of-immigration-and-border-protection).
The OAIC made four recommendations, and DIBP accepted these recommendations.
The recommendations, DIBP’s responses, and DIBP’s actions as of March 2018 are
set out in the table below. A fol ow-up of this assessment has not been undertaken.
Document history
Updated by
Reason
Approved by
Date
Kellie Fonseca
Page 2 of 4
FOIREQ19/00252 003
Recommendations
No.
OAIC Recommendation
DIBP Response/ further information
DIBP Action taken
1
DIBP should ensure that its internal policies and
Agree. DIBP agrees that consultation with the Privacy
There are currently a number of contracts being
procedures require that the Privacy and Reviews
Section (formerly Privacy and Reviews Section) should be
negotiated and the Privacy Section is actively being
Section be:
improved in the development of new contracts.
consulted as part of the process.
o consulted during the development of new
contracts for services relating to regional
Agree. Under the Garrison and Welfare Contract, the CSP
During end of contract transition, DIBP engages ICT
processing centres, and
must report when suspected Code of Conduct breaches
resources to ensure that all systems and data is
o advised of suspected or actual privacy or
occur at the time of the event, and report monthly on
protected and sanitised. All hard copy records are
information security breaches and privacy
actual breaches. In addition, any suspected privacy or
similarly managed. Any suspected privacy breaches
complaints in its RPCs when these breaches or
information security breaches are reported through
are reported immediately to privacy, IT security and
complaints are reported to it by CSPs.
situation reports and investigated by the contract
records management teams.
management team.
2
DIBP should ensure that future contracts:
Agree. DIBP agrees to consider the scope of guidance and
Privacy and the Records Management Sections have
o provide guidance to CSPs as to the reasonable
requirements in future contracts with CSPs in relation to
been involved in the current transition/end of
steps that CSPs should take to secure personal
securing personal information.
contract processes. In addition, oversight by the
information. This could include (but should not be
National Archives of Australia to ensure that all
limited to) a security standard that CSPs should
Agree. Irrespective of the issues that OAIC has noted in the
Commonwealth material and privacy considerations
meet.
documentation provided to the OAIC for the assessment,
are managed.
o include provisions ensuring that subcontractors
DIBP confirms that future contracts require subcontractors
handle personal information in a manner
to handle personal information in a manner consistent with DIBP has in place processes to manage the electronic
consistent with DIBP’s privacy and information
DIBP’s privacy and information security obligations.
and paper records/data as part of transition
security obligations.
including destruction on authority of the National
o include provisions setting out CSPs’ obligations
Agree. DIBP agrees to consider the obligations and
Records Manager.
concerning privacy and information security at
requirements for each CSP in relation to information
the completion or termination of the contract.
security at the completion or termination of the respective
This should include, as appropriate, destruction
contracts.
and de-identification of personal information, in
accordance with APP 11.2 and the Archives Act
1983 (Cth).
3
DIBP’s incident management arrangements under
Agree.
For future contracts established by DIBP for services
contracts for services relating to regional processing
that relate to regional processing operations, DIBP
centres should include an incident category for privacy,
agrees to include in the incident management
including privacy complaints and actual or suspect
arrangements, protocols or procedures privacy
privacy or information security breaches.
Page 3 of 4
FOIREQ19/00252 004
concerns, including privacy complaints and actual or
suspected privacy or information security breaches.
Of particular relevance to existing contracts, DIBP
considers that, it and CSPs are able to effectively and
expediently address privacy and information security
risks by amendments to operational material and
relate to the respective contracts — including
standard operating procedures, transition plans, etc.
4
DIBP should:
Agree.
DIBP will establish a program of proactive privacy
o establish a program of proactive privacy and
and information security assurance activities of CSPs'
information security assurance activities of CSP’s
Agree. DIBP agrees that the Privacy Section should be
arrangements in RPCs.
arrangements relating to privacy and information
involved from the outset in planning assurance activities.
security in RPCs. These activities could include, for
Compliance audits will be undertaken to ensure that
example, regular audits or inspections of CSPs’
CSPs' procedures and systems align with privacy and
procedures and systems in its RPCs to assure DIBP
security approaches. During the transition of
that privacy and security requirements are being
contracts, data and information activities are
met
planned with the Privacy and the Records
o ensure that the Privacy and Reviews Section is
Management Sections in collaboration with IT
involved in planning these activities, and advised
security to ensure that data and records are
of their findings.
protected.
Page 4 of 4