New VCAT decision in relation to outsourcing under the Privacy and Data Protection Act 2014 (Vic)
VCAT’s recent decision in Send v Department of Jobs, Precincts and Regions (Human Rights) [2024] VCAT 1130 provides clarity and reassurance for the Victorian Government regarding liability under the PDP Act.
In this decision, VCAT determined that, if a services contract between a Victorian Government entity contains a provision requiring the contracted service provider to comply with the Information Privacy Principles (IPPs) and any applicable code of practice in the PDP Act which meets the requirements of section 17(2) and (3) of the PDP Act, then only the contracted service provider is liable for breaches of the IPPs.
For context, section 17(4) of the PDP Act provides, in general terms, that the relevant Victorian Government party (referred to in the Act as the ‘outsourcing party’) will be responsible for an interference with privacy which is caused by its contracted service provider unless:
- the services contract contains a provision which meets the requirements of section 17(2) of the PDP Act; and
- the IPP or applicable code of practice to which the interference with privacy applies is capable of being enforced against the contracted service provider.
To extend on the first bullet point above, a provision which meets the requirements of section 17(2) is a provision under which the contracted service provider agrees to be bound by the IPPs and any applicable code of practice. This applies to any act done, or practice engaged in, by the contracted service provider for the purposes of the services contract in the same way and to the same extent as the outsourcing party would have been bound if it had directly performed or engaged in that act or practice.
In Send v Department of Jobs, Precincts and Regions (Human Rights) [2024] VCAT 1130, the complainant was a job applicant to the Department. The Department had contracted a service provider (who also used a subcontractor) to assist with recruitment for the role for which the complainant had applied. The contracted service provider (and its subcontractor) assisted with the carrying out of personality assessments for the recruitment. The complainant took issue with the conclusions drawn by the assessments and complained to the Office of the Victorian Information Commissioner and asserted that the Department had breached numerous IPPs.
Amongst other things, VCAT was required to consider whether the department was liable under the PDP Act for an act done by its contracted service provider (and subcontractor) where:
- the act was done for the purposes of the services agreement between the Department and the contracted service provider; and
- the act constituted an interference with the complainant’s privacy.
It is important to note that the parties had agreed as part of the proceedings that:
- the services contract did contain a provision of the type referred to in section 17(2) of the PDP Act; and
- the conduct of the contracted service provider that was the subject of the complaint was for the purposes of the services contract with the Department.
However, the complainant sought to argue that section 17(4) operated to make both the Department and its contracted service provider liable for the interference with privacy under the PDP Act.
In what will come as a relief to Victorian Government entities subject to the IPPs, VCAT found that because the Department established that the provision referred to in section 17(2) of the Act existed in the services contract, then the Department could not be responsible for the interference with privacy. In particular, VCAT found that the services contract ‘passes any responsibility the respondent might have had for interferences with the complainant’s privacy to [the contracted service provider].’
Key takeaways
Given the ever increasing risk and likelihood of privacy breaches, the Victorian Government’s exposure for a claim for interference with privacy which is caused by a service provider is an ever growing concern.
To mitigate this risk, it is important for agencies to ensure that provisions of the type referred to in clause 17(2) of the PDP Act are included in services contracts.
Do you have any further queries about the privacy clauses in your services agreements?
Please contact us about your concerns
Keep up to date with our legal insights and events
Sign upRecent articles
What Victorian Government personnel need to know about ensuring privacy compliance with ChatGPT usage
Findings on practical uses of Generative AI (GenAI) in the Victorian Public Service.
FOGO is GO GO in NSW
The NSW Government has legislated local councils collect and transport food and garden organics waste from 1 July 2030.
Goldmate Reversed – The Public Purpose Must Be Authority Specific
Transport for NSW acquired part of a property owned by Goldmate Property Luddenham No 1 Pty Ltd
Partner
Melbourne