The Privacy Act 1988 (Cth) treats private sector government contractors, known as contracted service providers (CSPs) differently. The Act requires agencies to take contractual measures to ensure that CSPs, including subcontractors, do not breach the APPs. The CSP's privacy obligations are derived from the contract. Therefore agencies need to ensure that contractual clauses are consistent with the privacy obligations that apply.

The Act applies to CSPs regardless of when the contract was entered into. Therefore there is an obligation on agencies to include privacy clauses in contracts prior to the commencement of the Act . The provisions also apply to acts and practices of CSPs after completion or termination of the contract. A small business operator that is also a CSP will be subject to the legislation in respect of the performance of that contract. That is, it cannot benefit from the small business exemption for contractual matters.

To ensure that people are able to find out what privacy standards apply, agencies and CSPs are required to release on request details of privacy clauses in their contracts.

Complaints

All complaints in relation to the acts or practices of Contracted Service Providers (CSPs) are to be handled by the Office of the Australian Information Commissioner. The CSPs are liable for their own acts and practices. The outsourcing agency is to be given notice of any determination against a CSP.

In circumstances where an individual is unable to obtain a remedy from a CSP, the Office of the Australian Information Commissioner can substitute the agency for the CSP. This ensures that the agency remains ultimately responsible for the acts and practices of its CSPs.