Important Update

Privacy risks of outsourcing agency marketing 

Outsourcing your agency’s marketing activities to external service providers can raise privacy risks

In January 2020, a Victorian Council considered using a third party service provider to manage marketing and communications with members of its fitness and leisure centres.  The provider operates outside Australia. 

 

Having considered the terms of the Council’s agreement with the provider, the OVIC considered the proposed outsourcing (in this instance) could be inconsistent with the Council’s obligations to comply with the Victorian Information Privacy Principles, specifically, IPP 9.  IPP 9 obliges organisations to make sure that any personal information sent outside of Victoria (“transborder data flows”) would be protected to an equivalent standard afforded by Victorian privacy law. 

 

In a media release , the OVIC confirmed that although Victorian organisations may outsource functions (such as marketing and communications), an organisation “cannot outsource its duty to protect the privacy of the people whose information it holds”.

 

In our experience, many clients, including non-Council clients, rely increasingly on outsourcing many of their functions and services.  Although the OVIC’s comments were directed (in this instance) to marketing and communication activities, we strongly support the comments as being relevant to any activities that your organisation engages third parties to conduct or perform on your behalf. 

 

If your organisation is engaging a third party service provider and that provider will handle personal information, you must address the requirements of IPP 9, for example in the terms of your contract with the provider, or ensuring that you can demonstrate the organisation has obtained the consent of the concerned individuals.  It’s also important to note that equivalent obligations exist in relation to Health Privacy Principle 9 of the Health Records Act 2001 (Vic) for health information your organisation holds.  

 

These and other privacy issues are particularly apt at present, with an exponential increase in use of remote access service providers and products to provide organisational business continuity during the COVID-19 outbreak.   To echo the words of the OVIC:

"As entities move fast to find solutions to public health and economic problems, Privacy Commissioners and Ombudsmen reiterate the value of conducting short-form Privacy Impact Assessments to help ensure personal information is handled in a way that is necessary, reasonable and proportionate."

 

We already have a number of clients contacting us for assistance to ensure their new or existing working arrangements do not expose their organisations unnecessarily to privacy complaints. 

 

If you need any assistance or advice about IPP 9, or whether your agency’s existing or proposed use of third party providers could expose the agency to a privacy complaint, or if you just want some help in minimising privacy risks in the current COVID-19 environment , please contact us.