This precedent has been authored by Dr. Gordon Hughes, Principal, Davies Collison Cave Law.

Introductory note

Unless exempted as a “small business” under sections 6C and 6D of the Privacy Act 1988 (Cth) (Act), a party will normally have a statutory obligation to handle personal information received from the other party in accordance with the constraints imposed by the Australian Privacy Principles

. A “privacy clause” does not necessarily expand a party’s statutory obligations, but the ramifications for non-compliance with the contract due to a security breach may be more commercially damaging for a party than any exposure under the Act.

Functions of a privacy clause

A privacy clause can, in any event, serve a useful function by allocating roles and responsibilities in some important respects. Under part IIIC of the Act, for example, a party will have an obligation to notify (see section 26WK of the Act) the Privacy Commissioner and affected individuals if a data breach has the potential to result in “serious harm” to the data subject (see section 26WE(2) of the Act).

Sometimes contractual parties may share — or potentially share — responsibility for a data breach. Where this is the case, it is not necessary for both parties to provide notification. (See section 26WJ of the Act.) The contract may clarify which party is to exercise notification responsibilities in these circumstances — in some instances, a party may wish to “control the message”, and in other instances a party may wish to dissociate itself as far as possible from the incident.