MILITARY LAW is satisfied that the delay is attributable to the resolution of the complaint (or where there are special circumstances which warrant an extension of time). 19 It would thus be prudent for potential suppliers to keep a detailed record of their interactions with the procuring entity in regards to their attempt to resolve the complaint. The Bill also provides that the FCC may award compensation for a contravention (or proposed contravention) of the CPRs. 20 The amount payable by a procuring entity is limited to the reasonable costs associated with the preparation of their tender, raising a complaint with the Commonwealth entity and attempted resolution of the complaint. 21 Further, the new arrangement “strengthens existing appeal arrangements” in a way which would meet prospective international obligations under the GPA and TPP. 22 Accession to the GPA will secure access to the government procurement market of the membership base. 23 DEFENCE CAPABILITY MAY BE IMPAIRED The primary strategic concern for the Department of Defence is the potential for the Bill to affect Defence’s ability to deliver capability to the Australian Defence Force. This may occur in instances where a public interest certificate is not issued and a Defence procurement is suspended (pending the outcome of the review). Further discussion on this point is necessary to provide clarity as to the criteria surrounding the issuing of public interest certificates. Under the Bill, successful compensation claims will be paid from departmental budgets. Given the scale, complexity and associated costs of Defence procurements, compensation awards may curtail the budget available for Defence projects. In this manner, the proposed operation of the Bill could impact on Defence capability. Arguably, risk management programs would be difficult to manage. Also of concern is the proposed timeline for initiating court 20 THE BULLETIN March 2018 action; the 10 day limit is not a timeline conducive to meaningful collaboration between Defence and suppliers. Rather, this aspect of the mechanism promotes an adversarial process. 24 By way of final comment, it will be interesting to observe whether further negotiations between Defence and the Department of Finance will address some of the noted concerns. Moreover, it will be critical to monitor the impact on Defence procurement, particularly, how the new complaints mechanism effects Defence capability. Dr Colette Langos is Operational Commercial Law Programme Coordinator, Research Unit on Military Law and Ethics at Adelaide Law School , and Alex Edgar is a research Associate at Adelaide Law School’s Research Unit on Military Law and Ethics. B Endnotes 1 Current CPRs came into effect March 2017 (See Department of Finance, Commonwealth Procurement Rules, https://www.finance.gov.au/ procurement/procurement-policy-and-guidance/ commonwealth-procurement-rules/. 2 Department of Finance, Commonwealth Procurement Rules, 2. Procurement framework also encompasses Department of Finance Procurement policy website; Finance Guidance (circulars); Chief Executive Instructions for agency specific rules which may be revised from time to time (e.g. Defence Accountable Authority Instructions). 3 Department of Finance, Commonwealth Procurement Rules, 11-18. 4 Note, section 23 of the Government Procurement (Judicial Review) Bill 2017 provides that contravention of the CPRs does not affect the validity of a contract award. 5 Depending on the nature of the alleged conduct, remedies may be based on principles of contract law. Alternatively, a decision may be reviewable under the Administrative Decisions (Judicial Review) Act 1977 (Cth); Senate Finance and Public Administration Legislation Committee, Inquiry into Government Procurement (Judicial Review) Bill 2017 Answers to questions taken on notice on 22 June 2017 from the Department of Foreign Affairs and Trade, received 6 July 2017, 2. 6 See, for example, Australia-United States Free Trade Agreement (AUSFTA), article 15.11–‘Domestic Review of Supplier Challenges’. Note, the Agreement to Amend the Singapore-Australia Free Trade Agreement, which entered into force 1 December 2017, contains a similar provision– article 18.5(a). 7 Australia is currently negotiating (multilaterally) regarding the content of the Annexes to the GPA agreement. Australia (along with 10 other countries) reached agreement on the final Comprehensive and Progressive Agreement for Trans-Pacific Partnership on 23 rd January 2018. The Agreement is expected to be signed in March 2018. 8 It implements Recommendation 11 of the 2014 Senate Finance and Public Administration References Committee’s reports into Commonwealth procurement procedures to establish and independent and effective complaints mechanism for procurement processes. See Explanatory Memorandum, Government Procurement (Judicial Review) Bill 2017. 9 A potential supplier does not need to demonstrate that they would have been awarded the contract but for the breach. Defence has raised their ongoing concern with the limitations of ‘standing’ regarding the review process. See, Senate Finance and Public Administration Legislation Committee, Inquiry into Government Procurement (Judicial Review) Bill 2017 Answers to questions taken on notice on 18 July 2017 from the Department of Finance, received 2 August 2017, 2. 10 Jurisdiction is held concurrently with the Federal Court. 11 Senate Finance and Public Administration Legislation Committee, Inquiry into Government Procurement (Judicial Review) Bill 2017 Answers to questions taken on notice on 22 June 2017 from Department of Finance, received 13 July 2017, 2. Note, decision to vest jurisdiction on the FCC was informed by extensive consultation. See, Government Procurement (Judicial Review) Bill 2017, Second Reading Speech, 25 March 2017. 12 Government Procurement (Judicial Review) Bill 2017, s 9(1)(2). 13 Ibid, s 11(1). 14 Ibid, s 19. 15 Ibid, s 20. 16 Ibid, s 11(2)(3)(4). 17 See, for example, Nick Seddon, Submission to the Senate Finance and Public Administration Legislation Committee: Inquiry into the provisions of the Government Procurement (Judicial Review) Bill 2017. 18 Department of Defence, Submission to the Senate Finance and Public Administration Legislation Committee: Inquiry into the provisions of the Government Procurement (Judicial Review) Bill 2017, 2. 19 Ibid, 1. 20 Government Procurement (Judicial Review) Bill 2017, s 16(a)(b). 21 Ibid s 16(c)(d). 22 Senate Finance and Public Administration Legislation Committee, Government Procurement (Judicial Review) Bill 2017 Answers to questions taken on notice on 22 June 2017 from the Department of Foreign Affairs and Trade, received 6 July 2017, 3. 23 This is estimated by the World Trade Organisation to be worth A$2.2 trillion. 24 The maintenance of long-term relationships with industry partners is critical to delivering Defence capability. See, Department of Defence, Defence Industry Policy Statement (2016), 19.
GRANT FEARY, DEPUTY DIRECTOR, LAW CLAIMS RISK WATCH Notifiable Data Breaches and the Privacy Act: Is your Law Practice bound? The Notifiable Data Breach Scheme imposes additional obligations on entities subject to the Australian Privacy Principles. You should carefully check whether your Law Practice is subject to the scheme. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) commenced on 22 February, 2018. The Scheme contained in this Act (the NDB scheme) is an adjunct to the Australian Privacy Principles (APPs). One of the key APPs is APP 11 which requires entities subject to the APP to take such steps as are reasonable in the circumstances to protect personal information that they hold from misuse, interference, loss and unauthorised access, modification or disclosure. The NDB Scheme requires entities which are subject to the scheme to notify the Australian Information Commissioner (AIC) and affected individuals if the entity has reasonable grounds to suspect that an “eligible data breach” has occurred. This is where there has been unauthorised access to or disclosure of information and a reasonable person would conclude that that access or disclosure would likely result in serious harm to any of the individuals to whom the information relates. The relevant entity must itself make a judgement as to whether it is likely that the data breach will result in serious harm. According to the Explanatory Memorandum to the NDB Scheme “serious harm” is defined as including: “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.” If an entity suspects that an eligible data breach has occurred the entity must investigate the relevant circumstances within 30 days and if such a judgement as to serious harm is made then the data breach must be notified to the AIC and the affected individuals. The notification must include: • the identity and contact details of the notifying entity; • a description of the data breach; • the kind of information concerned; and • recommendations about the steps that individuals should take. A failure to comply with an obligation to notify will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act and may result in orders for compensation or substantial penalties. So, you are probably thinking, that’s all very well but how is it relevant to my Law Practice? Obviously all law practices have duties of confidentiality with respect to their clients’ personal information imposed as a result of the solicitor-client relationship but is your Law Practice subject to the additional requirements contained in the APP and the NDB scheme? The APPs and, after 22 February, 2018 the NDB Scheme, apply to all business including law practices with an annual turnover of more than $3 million in any year since 2002. Businesses with a turnover of $3 million or less are known as “small businesses” in the Privacy Act. Whilst many such small businesses do not need to comply with the APPs, some small businesses that handle personal information do. The AIC publishes a checklist on the AIC website (Appendix A to Privacy Business Resource 10: Does my small business need to comply with the Privacy Act?). In summary though, if your Law Practice with a turnover of less than $3 million per annum: • does not provide health services; • is not related to a body corporate that is subject to the Privacy Act; • does not provide contracted services to the Commonwealth; • is not reporting entity or authorised agent of a report entity under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) or its regulations or rules; • does not carry on a credit reporting business; • is not an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth); • is not a protected action ballot agent for a protected action ballot conducted under Part 3-3 of the Fair Work Act 2009 (Cth); • is not a service provider that is required to comply with the data retention provisions in Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth); or • has voluntarily opted into the Privacy Act, then it will not be bound by the APPs or the NDB scheme. It is unlikely that many Law Practices will be “caught” under these provisions. There is, however, another provision which some commentators think means that all Law Practices will be caught. This provision (Privacy Act s.6D(4)(c)) applies the APPs/NDB Scheme to small businesses which disclose personal information about another individual for a benefit, service or advantage. This provision, read literally, could, of course apply to Law Practices. The AIC’s check list and guidance documents, however, summarise this provision as applying to businesses that “trade” in personal information. Further, the AIC give an example of such a business as one where a small business “sells its customer list to a marketing company or gives its own list in return for another list”. This would, in my view, not be an apt description of the use of personal information in a Law Practice. In my view the situation is in fact made tolerably clear by s.6D(7) which provides that s.6D(4)(c) does not prevent an entity from being a small business only because it discloses personal information about another individual with the consent of that other individual. Again, in my view, a Law Practice disclosing personal information relating to a client to, for example, an insurance company or an opposing Law Practice in the course of acting for that client does so with the consent of the client and would therefore not be bound by the APP’s/NDB scheme. As noted above, some commentators disagree and assert that Law Practices that hold personal information (which of course will be all Law Practices) are bound. The Law Society is seeking further guidance from the AIC on this specific issue and further information will be provided to the profession as soon as possible. If your Law Practice does have a turnover of more than $3 million then the NDB scheme will be applicable to your law practice from 22 February, 2018 (and the APPs will have, of course been applicable to your law practice for some time). If your Law Practice does not have a turnover of more than $3 million then you should nevertheless carefully examine the AIC checklist and satisfy yourself that the APPs and the NDB scheme do not apply. March 2018 THE BULLETIN 21