The Privacy Act 1988 treats private sector government contractors, known as contracted service providers (CSPs) differently. The Act requires agencies to take contractual measures to ensure that CSPs, including subcontractors, do not breach the IPPs. It is therefore the IPP's and not the NPPs which apply to CSPs. The CSP's privacy obligations are derived from the contract. Therefore agencies need to ensure that contractual clauses are consistent with the privacy obligations that apply. An act done or practice engaged in by a CSP that is authorised by the contract will not breach an NPP or an approved privacy code.

The Act applies to CSPs regardless of when the contract was entered into. Therefore there is an obligation on agencies to include privacy clauses in contracts prior to the commencement of the Act . The provisions also apply to acts and practices of CSPs after completion or termination of the contract. A small business operator that is also a CSP will be subject to the legislation in respect of the performance of that contract. That is, it cannot benefit from the small business exemption for contractual matters.

To ensure that people are able to find out what privacy standards apply, agencies and CSPs are required to release on request details of privacy clauses in their contracts.

A CSP is expressly prohibited from using or disclosing personal information collected under a Commonwealth contract for direct marketing purposes unless this a necessary part of the contract itself.

Complaints

All complaints in relation to the acts or practices of Contracted Service Providers (CSPs) are to be handled by the Privacy Commissioner. The CSPs are liable for their own acts and practices. The outsourcing agency is to be given notice of any determination against a CSP.

In circumstances where an individual is unable to obtain a remedy from a CSP, the Privacy Commissioner can substitute the agency for the CSP. This ensures that the agency remains ultimately responsible for the acts and practices of its CSPs.