Are third parties a part of your first line of defence?
Organisations are engaging third parties to deliver non-core business services increasing their privacy and data protection risk exposure. How can you involve your third parties to be a part of your first line of defence?
Organisations are increasingly outsourcing non-core business services to third parties as it is cost effective and allows the organisation to focus on its core business.
Organisations use third parties for many purposes. These include marketing, technology support, mailing letters and other documents, hosting information in data centres and even core operational systems and software.
In Australia, as in other jurisdictions, an organisation is responsible for personal information in their custody; a responsibility that extends to those parties with whom the organisation shares such information. This means that organisations which use third parties to perform business functions are increasing their exposure to privacy and data protection risk by engaging with them.
Also, as organisations move towards being transparent about their privacy practices to ensure their customers are informed of how personal information is used, having the third parties they use remain less open about their equivalent practices may mean that organisations aren’t being as transparent as they think.
It has been observed that some organisations:
- Do not know all third parties which supply services on their behalf;
- May not have agreements in place with each of these third parties; and
- May not know if these third parties have been contracted to comply with the APPs.
In addition, some third parties may:
- Disallow a privacy assessment to be performed on their services by an organisation undergoing a vendor selection process
- Disallow inclusion of specific terms in contractual agreements such as those requiring compliance with specific privacy requirements that may be relevant to an organisation, citing that generic terms apply to all of their clients.
Organisations should consider third parties as extensions of them and hence make compliance with organisational privacy requirements mandatory. When engaging new or managing existing third parties, organisations should:
- Include privacy requirements as part of the vendor selection process
- Ensure the third party will allow a privacy assessment to be performed
- Understand where the third party will store information
- Understand what other parties the third party themselves uses
- Understand how the third party plans to protect information.
- Ensure agreements contain:
- The privacy compliance requirements mandatory for the third party. For example: adherence to the ISO Privacy framework, ISO Security or specific privacy principles in legislation
- Roles and responsibilities of the third party, including in the event of a data breach
- Clauses stating that the use and disclosure of information should only be for the purpose for which the information was provided. If there is a risk that information could be used or disclosed for other purposes then the organisation should be informed of this
- How the third party plans to protect the information.
It is important for organisations to understand their third party information landscape and ensure that the privacy function or the key privacy stakeholders within their organisation provides input into third party / vendor management processes.
We often help our clients where there are privacy compliance challenges with third parties. We are also always interested to hear about how organisations extend privacy compliance requirements out to the third parties they engage.