The Queensland Government is currently undertaking a review of the Right to Information Act 2009 (Qld) (RTI Act) and Information Privacy Act 2009 (Qld) (Information Privacy Act).
The Government recently published a consultation paper (Consultation Paper) which looks at issues raised in 2013 and new issues in 2016, including several that will be particularly relevant to contracted service providers (CSPs) delivering services on behalf of Queensland Government agencies.
What do CSPs need to know?
- The Queensland Government is conducting a review of the RTI Act and Information Privacy Act. The review started in 2013 under the previous Government.
- The 2016 Consultation Paper asks 34 questions about a range of issues and foreshadows possible changes in the RTI Act and Information Privacy Act.
- Consultation questions of main interest to CSPs would include: Whether the RTI Act and Chapter 3 of the Information Privacy Act should be extended to cover documents of CSPs where they are performing functions on behalf of Government? And whether the privacy obligations under the Information Privacy Act should be extended to sub-contractors?
- Public comment on the Consultation Paper is due by 3 February 2017.
Jump to:
- What are the RTI Act and IP Act about?
- Why is this consultation happening?
- What issues are considered in the consultation paper?
- Other issues
- How can a CSP make a public submission?
What are the RTI Act and Information Privacy Act about?
In general, the RTI Act gives a right to apply for access to documents held by government agencies and Ministers. It also requires government agencies to proactively make information available through publication schemes (which require certain agency documents to be placed on websites) and disclosure logs (which require documents released as a result of RTI applications to be published online).
The Information Privacy Act provides two sets of privacy principles (called “IPPs” and “NPPs”) which regulate the way public sector agencies collect, store, use and disclose personal information about individuals. Chapter 3 of the Information Privacy Act also provides an individual with rights to access documents of an agency or Minister to the extent they contain personal information about that individual, and to correct personal information held by those agencies.
Why is this consultation happening?
The Consultation Paper is part of a mandatory review of the RTI Act and Information Privacy Act.
When the review process started in 2013, the previous Government published two Discussion Papers and received 67 submissions. Some of the issues raised and submissions received have been incorporated into the new Consultation Paper, together with new issues for public consultation.
The objects of the 2013 and 2016 reviews include:
- whether the primary object of each Act remains valid;
- whether the Acts are meeting their primary object;
- whether the provisions of the Acts are appropriate for meeting their primary object; and
- to investigate specific issues recommended by the Minister or the information commissioner.
What issues are considered in the Consultation Paper?
Among the 34 questions in the Consultation Paper, two are directly relevant to “contracted service providers” (CSPs) who provide outsourced services on behalf of Government:
Q4. Should the RTI Act and Chapter 3 of the Information Privacy Act apply to the documents of CSPs where they are performing functions on behalf of Government?
Q6. Does the Information Privacy Act deal adequately with obligations for CSPs? Should the privacy obligations in the Information Privacy Act be extended to sub-contractors?
We further discuss these issues below.
Q4. Should the RTI Act and Chapter 3 of the Information Privacy Act apply to the documents of CSPs where they are performing functions on behalf of Government?
The 2013 Discussion Paper acknowledged the continuing trend of outsourcing service delivery to CSPs and the possible consequence of a lowering or loss of public accountability because the RTI Act and Chapter 3 of the Information Privacy Act provide no statutory right of access to documents held by CSPs. But submissions to the 2013 review acknowledged that the administrative burden and costs to CSPs if they were treated as “agencies” under the RTI Act (including processing RTI applications, and complying with the publication scheme and disclosure log requirements).
The Consultation Paper now seeks public comment on whether the approach in section 6C of the Commonwealth Freedom of Information Act 1982 Cth (FOI Act) should be adopted in Queensland. Under section 6C, when an FOI application is made to an agency for documents held by its CSP, the CSP must provide the documents to the relevant agency which remains responsible for processing the FOI application. The Consultation Paper suggests adopting this approach would enable right-to-information access without “unduly” burdening the CSP.
We have had cause to review service agreements which contractually require the CSP to provide documents (except where the documents are exempted) and assistance to agencies to respond to RTI requests. In this context, we anticipate “unduly” merely means, no higher burden than the CSP may have under its contract with the agency.
CSPs should consider whether this change (if incorporated into the RTI Act) would place an unreasonable burden on them; and if not already, ensure the CSP has put processes and procedures into place for responding to an agency’s requests for relevant documents of the CSP which contain personal information.
Q6. Does the Information Privacy Act deal adequately with obligations for CSPs? Should privacy obligations in the Information Privacy Act be extended to sub-contractors?
This issue was not raised in the 2013 Discussion Paper.
Unlike the RTI Act, the privacy obligations under the Information Privacy Act can extend to CSPs. Section 35 of the Information Privacy Act requires agencies to take all reasonable steps to ensure that a contracted service provider is required to comply with the NPPs, IPPs, or “transfer of information” provisions, as applicable. If the agency does not take steps to find a contracted service provider and there is a breach of a privacy principle, the agency itself is liable for the breach.
In our experience, agencies typically include provision in their service agreements which require CSPs to comply with the agency’s privacy obligations. See for example, clause 18 in the Queensland Government Service Agreement - Standard Terms for Social Services. Clause 22.2(d) further requires CSP to ensure that any subcontractor complies with the Service Agreement as if the subcontractor were a party to it.
So despite the Information Privacy Act does not automatically bind CSPs and subcontractors to the privacy provisions in that legislation, in practice this is addressed by contract—and arguably the questions posed in Q6 are a non-issue. But in terms of legal risk, unless the Information Privacy Act is changed, the agency remains liable to the extent its CSP is not contractually required (by a clause such as clause 22.2(d)) to ensure its subcontractor complies with those privacy obligations, or where the CSP fails to ensure the subcontractor complies with the agency’s privacy obligations.
CSPs should review whether their service contracts with Queensland Government agencies require them to comply with the agency’s privacy obligations (some older contracts might not have been amended to include this requirement), and to the extent the services are subcontracted, whether the CSP’s subcontracts include clauses which also require the subcontractor to comply with the privacy obligations.
Other issues
Other questions and issues covered by the Consultation Paper include:
- Should the way the RTI Act and Chapter 3 of the Information Privacy Act applies to statutory bodies and government owned corporations (GOCs) with commercial interests be changed? Should some GOCs be treated differently?
- Whether the categories of exempt information should be increased or decreased?
- Whether the public interest test should simplified or changed, and if yes how?
- Should the Departmental Disclosure Log requirements be extended to other agencies and Ministers?
How can a CSP make a public submission?
The RTI Act and Information Privacy Act are important to public information management, accountability and transparency, and therefore any potential changes to Government policy or these Acts should be carefully considered and a wide range of views taken into consideration.
The Department of Justice & Attorney-General's website describes the requirements and process for making submissions to the public consultation process.
If your organisation is a CSP or if you have another interest in providing input to this review, we can assist you in preparing your submission.
Submissions are due by 3 February 2017.
For more information or discussion, please contact HopgoodGanim Lawyers' Privacy and Data Protection team.