Inclusion of a Privacy and Notifiable Data Breaches clause is mandatory, but use of this specific clause is optional.
|Legislation / Policy||
Privacy Act 1988 (Cth) available at:
|Legislation / Policy contact|
Australian Privacy Principles available at: https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles
Seek guidance from your entity's Privacy Contact Officer.
The clause must be included in any Contract where the Supplier is providing services under a ‘Commonwealth contract’ as defined under the Privacy Act 1988 (Cth) (Privacy Act) (see S6 of the Privacy Act). This clause ensures that the Supplier does not act or practice in such a way that would breach an Australian Privacy Principle. The Privacy Act also requires that the Contract contain provisions that such acts or practices are not authorised by a subcontract.
Where the Supplier is required to disclose Personal Information by law or to the Australian Information Commissioner, this clause requires the Supplier to notify the Customer.
The clause also includes provisions that will apply where there is a suspected or actual Eligible Data Breach. It allows the Customer to issue directions to the Supplier in relation to suspected or actual Eligible Data Breaches. For example, the Customer may decide to itself carry out an assessment of a suspected Eligible Data Breach under section 26WH(2) of the Privacy Act 1988 (Cth) and this clause enables the Customer to issue a direction to the Supplier to assist with this.
This clause requires the Supplier to keep the Customer notified where the Supplier is aware that it has breached or that there may be a breach of its obligations to set out in this clause.
This clause should be read together with the audit clause which gives the Customer the right to access records and premises of the Supplier to assist in monitoring compliance with the Privacy Act 1988 (Cth).
Privacy and Notifiable Data Breaches
X.1 In providing the Goods and/or Services, the Supplier must comply, and ensure that its officers, employees, agents and subcontractors comply with the Privacy Act 1988 (Cth) and not do anything, which if done by the Customer would breach an Australian Privacy Principle as defined in that Act. The Supplier will notify the Customer if it becomes aware that it may be required to disclose Personal Information by law or to the Australian Information Commissioner.
X.2 If the Supplier becomes aware that there are reasonable grounds to suspect that there may have been an Eligible Data Breach in relation to any Personal Information held by the Supplier as a result of this Contract or its provision of the Services, the Supplier agrees to:
- notify the Customer in writing as soon as possible, which must be no later than within 3 days; and
- unless otherwise directed by the Customer, carry out an assessment in accordance with the requirements of the Privacy Act 1988 (Cth).
X.3 Where the Supplier is aware that there are reasonable grounds to believe there has been, or where the Customer notifies the Supplier that there has been, an Eligible Data Breach in relation to any Personal Information held by the Supplier as a result of this Contract or its provision of the Services, the Supplier will:
- take all reasonable action to mitigate the risk of the Eligible Data Breach causing serious harm to any of the individuals to whom it relates;
- unless otherwise directed by the Customer, take all other action necessary to comply with the requirements of the Privacy Act 1988 (Cth); and
- take any other action as reasonably directed by the Customer.
X.4 The Supplier must ensure that any subcontract entered into by the Supplier for the purposes of fulfilling the Supplier’s obligations under the contract imposes on the Subcontractor the same obligations regarding privacy and notifiable data breaches that the Supplier has under the Contract. Each subcontract must also require the same obligations (where relevant) to be included by the Subcontractor in any secondary subcontracts.
X.5 The Supplier will notify the Customer as soon as reasonably practicable if it becomes aware of a breach or possible breach of the obligations contained in this clause.
Contracts that are ‘Commonwealth contracts’ as defined in the Privacy Act must include a clause of this type.
Standardisation of contractual text results in efficiencies for both Parties to a contract. Before deciding whether a particular clause is appropriate, procurement officials should carefully consider the context of their procurement.
Clause wording would generally need to be changed where:
- the Supplier is likely to hold particularly sensitive Personal Information,
- the Supplier may have access to protected information for example information about a person obtained under relevant programme legislation, such as the social security or taxation law, such that additional requirements need to be imposed on the Supplier,
- there is likely to be joint management of Personal Information, and/or
- the Contract represents a high risk of harm if a data breach occurred, because of the nature of the Goods and/or Services,.
In these situations, it may be appropriate for more detailed provisions to be included that set out the requirements and obligations on the Supplier. For example it may be appropriate for the clause to contain an express requirement for the Supplier to comply with applicable provisions in relevant programme legislation in addition to any requirements of the Privacy Act.
In high risk circumstances, it may also be appropriate to ensure that any potential losses or damage which may be incurred as a result of any breach of this clause are covered in the indemnity clause included in the Contract.
Clause wording may also need to be changed to ensure that there is no ambiguity or overlap with clauses dealing with audit, freedom of information, subcontracting and notification of contractual breaches. Otherwise, where this clause is included, the clause wording should be used without change.
Terms that are capitalised may need to be changed to align with the Contract terminology. ‘Personal information’ and ‘Eligible Data Breach’ should be defined by reference to the definitions in the Privacy Act.