• News & Events
• News
• News Archive
• Media Contact

A guide to privacy & service providers

By Ben Winslade, Senior Solicitor

Click here for print version

Giving a service provider access to your organisation's personal information opens the door to significant privacy risks - many of the most serious and well known data breaches have been caused by a service provider failing to adequately secure its customer's data.  Yet often little detailed consideration is given to the privacy issues involved in contracting with a service provider until it is too late.

There are two very good reasons to take privacy issues seriously from the outset. Firstly, whenever a customer provides personal information to a service provider, the entire process of dealing with that service provider is subject to extensive obligations under the Privacy Act 1993. To comply, organisations will need to demonstrate that they have done everything they reasonably can to protect the data. Secondly, in many situations, an organisation is actually taking on legal liability for the service provider's actions with the personal information. If the service provider accidentally loses or discloses personal information, it will be the customer organisation (not the service provider) who will be held legally responsible for the breach.

Thinking clearly about privacy and taking a few practical steps to address the areas of greatest risk will allow organisations to comply with their own regulatory obligations and to have greater confidence in taking on liability for a service provider's actions.

Legal obligations on a customer

The starting point to the consideration of privacy and service providers is a clear understanding of the legal obligations which apply to an organisation. While all 12 of the information privacy principles contained in the Privacy Act 1993 (the Act) may be relevant to aspects of the services under any contract, Principle 5 is particularly important as it governs the process of a customer granting a supplier access to its information.

Principle 5 requires an agency to ensure that:

• the personal information is protected by such security safeguards as it is reasonable in the circumstances to take against loss, unauthorised access, use, modification, disclosure or other misuse; and
• if it is necessary for the personal information to be given to a person in connection with the provision of a service to the agency,everything reasonably within the power of the agencyis done to prevent unauthorised use or disclosure of that information.

There are several points worth noting about this principle. Firstly, there is no presumption that agencies are permitted to disclose information to service providers - the Act only contemplates service providers having access to personal information "if it is necessary". While most outsourcing or cloud computing arrangements are convenient or even efficient, seldom are they "necessary", in the strict sense of the term. An organisation can usually perform an equivalent function in-house but it is simply more difficult and less cost efficient to do so. Fortunately the Tribunal cases decided under the Act so far have given quite a broad interpretation of "necessary" (in contrast to Europe, for example), which is unlikely to prevent most outsourcing or cloud computing arrangements. However, it will be interesting to see if that position changes over time as a result of the increasing volume of cloud computing services on offer or following a particularly serious privacy breach.

The second point is perhaps more immediately relevant: if an agency does disclose personal information to a service provider it is subject to quite an onerous requirement - the customer must do "everything reasonably within the power of the agency" to prevent unauthorised use or disclosure by the service provider. On the face of it this is very broad, and (somewhat unusually in the context of the Act) is not qualified by a reference to the circumstances of the particular case. The use of "reasonably" in this context appears to relate primarily to a determination of matters which are within the power of the agency, rather than the actions themselves, particularly when the wording is compared to the general security obligation in the first bullet point above. This may mean that, for example, if there are two possible ways of preventing unauthorised use or disclosure by a service provider, one relatively cheap and the other quite expensive, the customer agency is required to carry out both of them, regardless of the value of the transaction or the sensitivity of the information.

There is definitely a potential conflict here between this incredibly broad obligation to protect information and the quick and carefree way that an organisation can now send its information to a cloud computing provider, in a matter of seconds via a few mouse clicks.

While there have been few significant cases determined under this provision so far, it will hopefully be given a pragmatic interpretation by the Commissioner and Tribunal. Even so, how many organisations will feel comfortable putting forward a case that they have done everything reasonably within their power, if this is ever examined in the context of a serious privacy breach?

While it may be difficult to be certain you have complied with such an exacting standard, in the privacy context doing something is always better than doing nothing. The more steps you are able to point to in satisfaction of the obligation, the better a position you will be in. This guide sets out some basic practical steps an organisation can take to satisfy the procedural obligation in relation to service providers and place itself in the best possible compliance position.

Step 1: Agent or Agency?

The starting point for any customer considering using a service provider is to establish whether in relation to any given services, the provider will be acting as an agent on behalf of the customer or not. This is the crucial step in determining how in practice an organisation should address the appropriate risks.

Section 3(4) of the Act provides that where an agency holds information:

•  solely as agent;

•  for the sole purpose of safe keeping; or

•  for the sole purpose of processing the information on behalf of another agency;

and does not use or disclose the information for its own purposes, the information shall be deemed to be held by the agency on whose behalf that information is so held or processed.

Many service providers who are given access to personal information fall into this category. For example, an outsourced data centre, a payroll processing company or website hosting provider. In each of those examples, the service provider will hold and/or process the customer's personal information, but only as an agent on behalf of the customer, and in accordance with the customer's instructions.

Where s3(4) applies, the customer will remain responsible for compliance with the Act, even while the information is being handled by that service provider. If an outsourced data centre, for example, accidentally discloses some of its customer's information to a third party, then it will generally be the customer who will be deemed to be in breach of Principle 11 of the Act, not the data centre. In any situation where a customer is taking on legal responsibility for its service provider in this fashion, it is important that it places the supplier under some fairly specific contractual obligations which reflect this.

However, not all service providers will be agents for the purposes of section 3(4). In some cases, a service provider will use or disclose the information for its own purposes rather than on behalf of the customer. For example, an organisation might enter into a contract with a Kiwisaver provider which involves the organisation supplying certain personal information about its employees to the Kiwisaver provider to open their accounts and manage payments directly from employee salaries. However, that information will be handled by the Kiwisaver provider for its own purposes - it will not necessarily be acting as an agent for the employer and will not only be storing the information on the employer's behalf. Where a service provider is not acting as an agent on behalf of a customer, then detailed contractual provisions about their handling and use of data are not appropriate.

Whether a particular service provider will be acting as an agent on your behalf or as an agency in its own right is generally a question of fact which needs to be looked at on a case by case basis with reference to the particular services. An attempt to agree a particular arrangement (e.g. that a service provider shall not be an agent of the customer) in the contract is unlikely to be successful if it is directly contradicted by how the relationship operates in practice. However, particularly in cases which fall into the grey area between the two scenarios, the wording of the contract might be influential in the determination of this question. In any event, the appropriate type of due diligence and contract clauses will be quite different for scenarios where a service provider is acting as an agent and where it is not.

Step 2: Due diligence

As explained above, the obligation on a customer is to do everything reasonably within its power to ensure personal information provided to a service provider is protected. While it may be unclear exactly how far that obligation extends, it is certainly likely to cover some preliminary investigation into a proposed service provider and how they intend to protect personal information. This can often be combined with a general consideration of the potential privacy impact of engaging the supplier (known as a privacy impact assessment.Ideally this should be done at the RFP stage, so that differentiation between different suppliers' protection of personal information can be factored into the decision making process. The outcome of the due diligence process can then also be used to structure the appropriate contractual provisions.

A number of questions should be asked of potential suppliers regarding their approach to privacy and handling personal information. For example: Do they have personal information policies in place? Where do they propose to store the information? Will it be held outside NZ, and if so in what countries? What training do its staff undergo in relation to privacy? Has the service provider been involved in any data breaches?

The nature and extent of the due diligence/privacy impact assessment process will be determined by a number of factors, but it need not be a lengthy bureaucratic process involving a formal document. So long as you are able to document that you have gone through a process of thinking about the relevant issues, that is likely to be sufficient in many cases.

The type of process used will often depend on a risk assessment of all the relevant factors. That is: whether the service provider will be acting as an agent on behalf of the customer or not (if so, then more specific attention will be required), the quantity and sensitivity of the information being provided, whether any cross-border transfers are involved, and the length of the contract. It is possible that if the service involves cloud computing that this will also be a factor. In general, the greater the amount of personal information a service provider will have access to and the more sensitive the data, the more detailed the due diligence enquiry should be.

Step 3: Draft the Contract

The type of contractual provisions put in place with a service provider will depend on whether the service provider is acting as an agent, or will be a separate agency in its own right under the Act (see Step 1).

Service provider as agent

Where a service provider is acting as your agent, it is important to place some very specific obligations on them with respect to the data. A simple obligation to "comply with the Privacy Act 1993" is unlikely to be sufficient, as by virtue of s3(4), the agent actually has no legal obligations under the Act!

The following are examples of the provisions which are often appropriate:

•  an obligation to only hold, use or disclose the personal information in accordance with the customer's instructions;

•  obligations to put in place appropriate security measures to protect the personal information;

•  a restriction on the transfer of personal information outside New Zealand;

•  a procedure for dealing with any access requests from individuals;

•  a right of audit for the customer over all aspects of the service provider's use of the personal information; and

•  an indemnity for any claims from individuals or the Privacy Commissioner arising out of the service provider's failure to comply with the contractual obligations.

Service Provider as a separate agency

Where a service provider will have access to information as a separate agency in its own right, it is important to avoid including contractual provisions (such as those listed above) associated with a supplier acting as an agent on your behalf. Not only are these unnecessary, as the service provider will be separately responsible under the Act for its own compliance, the presence of such clauses could be used to assist an argument that you should be liable for the service provider's actions as an agent pursuant to s3(4) of the Act.

Instead, the contract should explicitly recognise that the service provider will be acting as a separate agency, not on behalf of the customer and oblige the supplier to comply with all the provisions of the Act. It may also be necessary to deal with privacy notices already provided by the customer or access requests made to either party.

Step 4: Monitor Performance

Bearing in mind both the ongoing potential liability of a customer where a supplier is acting as its agent and the customer's obligation to do anything reasonably within its power, it is important that a service provider's handling of personal information is closely monitored throughout the course of a contract. Periodic reviews which specifically examine and update data security methods (which change rapidly over time), use of audits and prompt investigation of any issues or potential breaches are all important. It is often still possible to minimise liability arising out of a breach by acting promptly and decisively to minimise harm when issues do arise.

Again in this context it is useful to keep written records of reviews held, audits undertaken and discussions held with a service provider.

Summary

In the event of a serious privacy breach, often the focus of the Privacy Commissioner's investigation will be on the steps taken by the customer agency to secure the personal information and comply with the Act. This may be the case even where the breach has been caused by a failure on the part of the service provider.

However, by thinking about whether a service provider will be acting as an agent or a separate agency in its own right, conducting a thorough due diligence of the proposed handling of personal information before awarding the contract, negotiating appropriate contractual provisions and actively monitoring the service provider's compliance with them, organisations can both reduce the likelihood of breaches occurring and minimise their potential exposure if (when?) they do.