Current X-Tech Articles

X-Tech Articles for Author:

X-Tech Articles by Expertise:

August 2009

01 Aug 2009

Outsourcing Arrangements and the Privacy Act

The outsourcing of business functions (such as information technology and customer support/call centres) to third party providers is a common and accepted business practice which can create financial savings and provide greater access to specialised technology and/or expertise. In many cases an outsourcing arrangement will at first glance seem like the "ideal solution", however as it effectively involves the handing over of a potentially critical business function there are a number of commercial, operational and legal issues which should be carefully considered before such an arrangement is proceeded with.

The majority of outsourcing arrangements will involve the transfer of, or the provision of access to, personal information or data from the customer to the service provider. The application of New Zealand's privacy laws (principally the Privacy Act 1993) will therefore be one of the key legal issues to be addressed. This will be especially so as we move further into a digitalised world where more often than not personal information is processed, stored and transferred electronically, resulting in heightened concerns about the protection and security of the individual's personal information and underlying right to privacy.

Privacy Act Overview

The Privacy Act governs the collection, retention, disclosure and use of personal information by agencies by requiring compliance with 12 information privacy principles (IPPs). "Personal information" is any information about an identifiable individual (e.g. individuals' names and contact details). "Agency" is also widely defined as any "person or body of persons, whether corporate or unincorporate…", meaning that (apart from a few limited exceptions) all businesses will fall within the definition and be subject to the Act.

Transfer of Information to a Service Provider

The first issue to consider from a Privacy Act perspective is whether the customer is entitled to transfer the personal information to the service provider. IPP 11 prohibits an agency from disclosing personal information held by that agency to another person unless the agency believes, on reasonable grounds, that one of the specified exceptions applies. The exceptions include where:

  • the disclosure is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained; or
  • the disclosure is authorised by the individual concerned.

Whether the customer is able to rely on one of the exceptions in IPP 11 will be a fact-specific enquiry. For example, whether the individuals from whom the personal information was collected were informed that their personal information may be disclosed in this manner. A privacy policy which addresses the issue of disclosure of personal information to third party service providers and which is notified to the individuals at the time of the collection of the personal information would help in this regard. 

Information Held by a Service Provider under an Outsourcing Arrangement

The key requirements relating to personal information held by an agency are set out in IPPs 5 to 11. By way of summary, IPPs 5 to 11 provide that:

  • IPP 5 - an agency must ensure personal information is protected, by such safeguards as it is reasonable in the circumstances to take, against loss, access, use, modification, disclosure or other misuse;
  • IPP 6 - individuals are entitled to obtain from an agency confirmation of whether the agency holds personal information about them, and to have access to that information;
  • IPP 7 - individuals are entitled to request an agency which holds personal information about them to correct the information and attach to the information a statement of the correction sought but not made;
  • IPP 8 - an agency must not use personal information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that the information is accurate, up-to-date, complete, relevant and not misleading;
  • IPP 9 - an agency must not keep personal information for longer than is required for the purposes for which the information may lawfully be used;
  • IPP 10 - an agency that obtained personal information in connection with one purpose must not use the information for any other purpose unless the agency believes, on reasonable grounds, that one of the specified exceptions applies;
  • IPP 11 - an agency must not disclose personal information to another person unless the agency believes, on reasonable grounds, that one of the specified exceptions applies.

Under section 10 of the Privacy Act the application of these IPPs can also extend to information held outside of New Zealand. Specifically, information held by an agency will include information held outside of New Zealand by that agency for the purposes of IPPs 6 and 7. This will also be the case in respect of IPPs 5 and 8 to 11 provided that the information in question has been transferred out of New Zealand. There is, however, an effective "immunity" granted to agencies which breach these IPPs in respect of information held by them outside of New Zealand if doing so was necessary to comply with any applicable foreign laws.

With regards to outsourcing arrangements, the Privacy Act contains a key "deeming provision" which will (in most cases) have the effect of making the customer still responsible for the personal information transferred to the service provider and the service provider's subsequent handling of that information. By virtue of section 10 (discussed above), this will also generally be the case with respect to service providers based offshore. The deeming provision is set out in section 3(4) of the Act, which provides that:

"…where an agency holds information –

  1. solely as agent; or
  2. for the sole purpose of safe custody; or
  3. for the sole purpose of processing the information on behalf of another agency, -

and does not use or disclose the information for its own purposes, the information shall be deemed to be held by the agency on whose behalf that information is so held or, as the case may be, is so processed."

It follows that an action by a service provider in breach of one of IPPs 5 to 11 may be deemed to be an action of the customer. For example, if a service provider fails to put in place reasonable security safeguards to protect the personal information held on the customer's behalf and as a result there is a security breach where personal information is disclosed to unauthorised third parties, the customer may be found responsible for this failure by the service provider.

From the customer's perspective it is therefore important that the service provider understands the obligations under these IPPs and puts in place appropriate privacy practices and policies to ensure compliance with them.

The Outsourcing Agreement

The key way of mitigating or managing the Privacy Act risks associated with a service provider handling personal information on behalf of a customer as part of an outsourcing arrangement is to include appropriate obligations, restrictions and protections in the outsourcing agreement. These might include:

  • restrictions on the purposes for which the service provider may use the personal information;
  • security/confidentiality measures that the service provider must have in place to protect the personal information;
  • restrictions on the circumstances in which the service provider may disclose personal information;
  • a general obligation on the service provider to comply with the IPPs; and
  • an obligation on the service provider to comply with any requests from the customer to enable the customer to comply with any applicable privacy laws.

If the service provider will be collecting personal information on the customer's behalf, it may also be appropriate to include requirements in relation to the matters which should be disclosed to individuals at the time the information is being collected (e.g. the purposes for which the information will be used).

While compliance with privacy laws is only one of many issues to be considered when assessing an outsourcing proposal, it is an issue that is likely to assume more and more importance as the global reliance on information technology and the associated concerns around data security grow. Establishing appropriate privacy policies and requiring any service providers to adhere to those policies and the applicable laws are key to ensuring your business's Privacy Act compliance.

Authors

Earl Gray

Earl Gray

Partner - Intellectual Property

DDI: +64 9 977 5002

Mobile: +64 29 977 5002

Email:

View Profile
Karen Ngan

Karen Ngan

Partner - Corporate & Commercial

DDI: +64 9 977 5080

Mobile: +64 21 648 977

Email:

View Profile
Richard Watts

Richard Watts

Partner - Intellectual Property

DDI: +64 9 977 5182

Mobile: +64 21 895 931

Email:

View Profile
Sarah Chapman

Sarah Chapman

Senior Associate - Intellectual Property

DDI: +64 9 977 5167

Mobile: +64 21 498 965

Email:

View Profile
Claire Foggo

Claire Foggo

Senior Associate - Intellectual Property

DDI: +64 9 977 5314

Mobile: +64 21 582 674

Email:

View Profile
What next?
  • Make contact
  • Register to receive more articles like this
  • Print this page
  • Share this page

In This Article:

In many cases an outsourcing arrangement will at first glance seem like the "ideal solution", however as it effectively involves the handing over of a potentially critical business function there are a number of commercial, operational and legal issues which should be carefully considered before such an arrangement is proceeded with.

Authors:

Earl Gray

Earl Gray Intellectual Property Partner

FULL PROFILE ARTICLES BY THIS AUTHOR