Outsourcing 2019 Second Edition

Last Updated October 28, 2019

Australia

Law and Practice

Authors



Maddocks is a leading Australian law firm with offices in Canberra, Melbourne and Sydney. The firm was founded in Melbourne more than 130 years ago, is one of the oldest in Australia, and now provides legal services to corporations, businesses and governments throughout Australia and internationally. Outsourcing is a key area of practise for the firm. Lawyers are engaged in outsourcing of a wide range of systems and processes for public and private sector clients. Much of that work is performed for government clients at the Commonwealth, State and Territory and local government levels. Services are provided by our leading public sector team to Commonwealth, State/Territory and local government clients and by our commercial team to a wide range of private sector clients. We advise on the full range of outsourcing-related transactions in sectors including technology and telecommunications, defence, building and construction and infrastructure, property and real estate, office services, warehousing and distribution, travel services, health services and training services.

Outsourcing of ICT services is continuing to grow in popularity. Organisations are continuing to outsource ICT services to professional ICT companies so that they can focus on core business requirements.

This section discusses trends in ICT outsourcing, and how the market has shifted from traditional IT contractual models. Subsequent questions discuss the impact of new technology, such as artificial intelligence and blockchain, and the legal risks organisations face when implementing these types of technologies (and how to manage these risks).

The most prevalent modern trends in IT outsourcing contracts are:

  • a focus on managed services or solutions, rather than the supply of technology; and
  • the utilisation of cloud services products, rather than on-premise equipment.

As a consequence, there has been a shift to funding models that rely almost entirely on operational expenditure (opex), rather than a combination of upfront capital expenditure (capex) and ongoing opex.

Managed Services

The concept of "managed services" is extraordinarily broad, and it is used widely in IT contracts. The term "managed services" might be used to describe anything from services provided to manage the provision of a business function (such as document management), to services provided to manage complex end user services involving the provision of personal computers, business applications and support.

Before the inception of the term "managed services", traditional IT outsourcing contracts encompassed the following features:

  • the supply or management of a customer’s ICT infrastructure and/or end user computing requirements; this might include the supply of mainframes, servers, network infrastructure, operating software, application software, desktop computers or personal computers;
  • the supply or management of a customer’s licensed software;
  • the provision of user support, or management of support delivered by other providers;
  • asset management to maintain an ongoing, accurate inventory of equipment and software installed in the environment;
  • licence compliance management to assist the customer to ensure it has complied with applicable licensed rights; and
  • on-site services at the customer’s premises.

A traditional outsourcing contract would therefore cover matters such as the following:

  • identification of the customer’s environment;
  • a description of components of the required infrastructure (hardware and software);
  • a description of categories of services required to keep the infrastructure running;
  • a description of support requirements for the infrastructure and/or for end users; and
  • service levels for ongoing measurement of the performance of the infrastructure (eg, availability, reliability) and service levels for support.

In summary, the focus of a traditional IT outsourcing contract is weighted towards inputs and technical performance standards, rather than looking at business needs more holistically.

Organisations now recognise that an overly prescriptive contract may not be suitable, and it may be more appropriate to draft a contract with a greater emphasis on outcomes and business-needs performance measures, with built in agility. As a result, modern managed services contracts are often directed towards the following:

  • describing the customer’s business needs;
  • describing the services required to meet those needs;
  • service levels that measure the service outcome, rather than input performance; and
  • inclusion of collaboration tools such as steering committees, governance frameworks or strategic performance levels to ensure ongoing support and optimisation of the services.

Therefore, a modern managed services contract might have the following attributes:

  • a description of the business needs that the managed services are designed to meet;
  • a description of the nature of the relationship the customer expects from the provider, with specific requirements and measures for that relationship;
  • a description of the managed services solution drafted to reflect the business need (for example, a high-level description might reflect a customer’s requirements that its users are provided with the technology they need to meet customer portfolio requirements, for all its sites, for all its users, with in-built flexibility for change);
  • details of the categories of services required, such as end user device requirements, internet access requirements, document management requirements, and/or telecommunications requirements;
  • performance standards designed to reflect the needs of users, eg, timeframes for meeting service requests for supply of equipment or access rights, security requirements, incident response and resolution times;
  • when appropriate, specific functionality requirements or minimum technology requirements;
  • a governance regime focusing on measuring the outcome of the services, rather than the performance of specific technology enablers;
  • flexible pricing based on resource units and or consumption metrics; and
  • a performance management framework covering qualitative measures as well as traditional quantitative measures.

Modern managed services contracts may also need to support digitised services, which means the contract may include provisions designed for automation in business processes (see 1.3 New Technology).

Emerging issues for managed services contracts include the following:

  • the need to ensure a consensual understanding of the business need and the requirements of the managed services solution provided;
  • clarity of the description of the customer’s expectations and a performance framework that does not leave the parties in dispute about the application of the framework; and
  • a governance regime that properly encompasses management of the business objectives, and not just performance of service inputs. This regime might involve describing and measuring the way the supplier works to ensure the customer has the best possible advice on opportunities for innovation, transformation or improved efficiencies.

Cloud Services

Cloud services products are increasingly being utilised to provide business functionality without the need for substantial infrastructure investment. 42% of businesses in Australia reported using a paid cloud service (APS 2019), which is likely to be due to the perception that cloud services provide substantial cost and efficiency benefits.

However, there are still major customer risks in utilising cloud services, and this is having an impact on uptake. These include:

  • Third-party software licence terms: a range of cloud services providers are utilising third-party software in the provision of services, often this software come with specific terms or requirements that are included through “click-wrap” mechanisms or non-negotiable contract annexes;
  • Security: providers offering cloud services utilising infrastructure that they do not fully control are unwilling to commit to security requirements as strong as those included in contracts involving equipment, software and premises that are within the control of the customer or the provider. This infrastructure is increasingly located or collocated in third party data centres, with some providers not being transparent as to the location or collocation of the infrastructure;
  • Flexibility: while providers often market cloud services as a flexible, consumption-based way of procuring ICT business functionality, in reality most cloud services contracts require a minimum take-up period and limited opportunity for flexibility within that period; and
  • Tailoring: cloud services are generally designed to be configured for specific customer needs. However, because they are generally offered as a standard product, providers usually will not agree to any modification of their cloud services product (in contrast to software licensors, who often do have a standard process for software modification that customers can utilise).

Customer approaches to these issues may include:

  • Third-party software licence terms: clarifying in the contract what terms apply and how the parties will deal with “click-wrap” terms;
  • Security: including risk mitigations instead of a security protection guarantee or seeking suppliers that are compliant with specific security standards;
  • Flexibility: buying a shorter-term subscription and pre-negotiating the cost of changing the volume of usage; and
  • Tailoring: clarifying in the contract the specific configuration requirements the customer requires the product to accommodate (the provider may be contracted to provide professional services to achieve configuration).

This area of the market has not substantially changed from the perspective of identifying and describing the business process to be outsourced. Rather, BP outsourcing has evolved to incorporate new technology and services solutions, including managed services approaches. As a result of this evolution, the market is more competitive with fewer geographic limitations.

New technologies such as artificial intelligence (AI), robotics, blockchain and smart contracts, are enablers. Each of these forms of technology offer a new way of solving existing business needs. The standard ICT contract risks are all relevant to these new forms of technology. However, these risks manifest differently as a result of new technology. This section will address how these technologies are affecting the market, from increased efficiency to the increased risks inherent with new and innovative methods.

Automation and Autonomy

Each of these new technologies uses a degree of automation in its functionality. This leads to enterprise solutions that can interpret information automatically with fewer errors, resulting in enhanced productivity. This type of technology easily adapts to change, and is primarily used to increase efficiency, which is useful in emergency situations where a human response is too slow and possibly inefficient.

For example, the more information AI systems process, the more effective they become at analysing information and responding to requests. AI can use this ability to analyse and respond to information to formulate responses to mundane queries and tasks without the direct input of a human. This leaves the human time to focus on more strategic objectives.

In addition, the use of blockchain technologies may be beneficial to vendors with multiple data sources in a multi-vendor ICT environment because information is transparent, traceable, and allows users to interact directly without use of a "middle man". This is particularly useful where collaboration is a key element of the ICT environment.

In using automation and autonomous systems, organisations are faced with legal risks such as:

  • Who is responsible if the automated response is wrong?
  • Who is responsible if the person engaging with the automation tool does not follow instructions?
  • Who should own any IP in developments in the tool created as the tool develops ("learns") on the job?
  • How will businesses employing automation technology face growing security and privacy concerns?

IT outsourcing businesses are able to use automation to do the following:

  • provide operational efficiencies by limiting repetitive tasks, which may reduce project delays;
  • conduct sourcing, supply chain and procurement processes which may ensure accurate data processing and accountable transactions;
  • meet compliance standards; and
  • reduce costs.

Performance Management

Traditionally, responsibility for performance (such as meeting service levels or other performance measures) lay with the service provider. However, suppliers providing ICT outsourcing services using new technologies are less likely to accept the same degree of responsibility for performance. This is because they provide the systems on an "as is" basis and may not guarantee a high standard of performance.

The risk for customers is that there is no assurance that the system will work in accordance with its specifications. Customers will, therefore, have to balance the risk of unreliability and unavailability against the commercial benefits of acquiring an automated system. However, even if accuracy is not guaranteed, these systems have often been shown to have a considerably higher level of accuracy (as well as operating much faster) than human equivalents.

Privacy

Privacy is a particular issue for blockchain technology, including smart contracts, because altering and removing information is difficult. These technologies are designed to retain and analyse data, which may include metadata that can be linked to personal information.

Privacy is also an issue for automated systems. For example, this could be because their engagement with people does not allow for human intervention to control the disclosure of personal information.

Businesses will need to ensure that appropriate safeguards are in place to protect the information. Contracts should include risk mitigations, such as automated disclaimers, for these matters.

Liability

Liability is a legal risk for automatic and autonomous systems because it may be difficult to determine responsibility. For example, it may be difficult to ascertain how damage or injury was sustained as a result of malfunction of a robotic tool.

Organisations will have to ensure that contractual documents clearly specify the liability of each party, including any necessary allocation of liability in situations in which responsibility may be unclear.

Enforceability

Enforceability is a risk for smart contracts in Australia because their viability is yet to be addressed by Australian courts. Although a legally enforceable smart contract must still meet the traditional elements of a contract, its terms only exist in machine readable code. This means that, in the event of contractual dispute, interpretation can be difficult, particularly because the identity of the other party to the contract, and their capacity to enter into the contract, is usually unknown.

The fact that these contracts are written by coders who interpret instructions from lawyers provides an additional layer of risk.

Jurisdiction

Because nodes on a blockchain can be located anywhere in the world, the issue of jurisdiction may create a legal risk for organisations. This is because it may be difficult to determine the appropriate governing law if there is a dispute. In addition, it may be difficult to ascertain the location or identity of a user that has made a fraudulent transaction.

Organisations should therefore ensure that jurisdiction is clearly specified when using blockchain and smart contracts.

One trend to watch is the move towards engaging service providers to meet a defined business need, without reference to any technology or other inputs required to meet that business need. An example is a government agency that engages a provider to develop a system to provide certain services to the general public, on demand. The agency may enter into a contract by which it will fund the service fee charged to members of the public who receive the required government service, without any reference to the technology to be used.

Another emerging trend is the move towards service providers offering their own proprietary infrastructure and data sources and structures, without reference to the data sets and types in the customer’s existing systems (be they legacy systems or continuing systems). This creates additional proprietary data sets and has the effect of making transition-in, transition-out and future integrations more difficult.

Focus on data management, security, privacy and "ownership" are all key questions being asked by customers in the context of modern outsourcing solutions.

There is no overarching regulation of outsourcing in Australia.

Accordingly, the regulatory and legal framework applicable to the outsourcing will depend on the nature of the particular customer (eg, government or private sector), and the industry or other sector to which the outsourcing relates.

This section provides a high-level overview of some of the key legal, regulatory, and industry specific restrictions commonly applicable to ICT outsourcing in Australia, as an example drawn from the industry sector in which there is considerable outsourcing. 

It also examines data security obligations and data processing restrictions in Australia, and some contractual protections commonly included in outsourcing contracts which concern privacy and data collection, storage and use.

There is no legislation in Australia which is expressed to apply generally to all outsourcing arrangements or which imposes restrictions on all outsourcing arrangements. Rather, outsourcing arrangements need to facilitate and ensure the outsourced service provider’s compliance with the following:

  • legislation that applies to the customer because of the nature of the customer;
  • regulatory frameworks that apply to the customer because of the specific industry or sector in which that customer operates;
  • applicable government policy requirements; and
  • the general law applicable to all commercial contracts.

Each of these is considered in more detail below.

Legislative Frameworks Which Apply Because of the Nature of the Customer

Some legislative frameworks will only apply if the customer is a particular type of entity.

Public sector customers

Commonwealth public sector entities must comply with obligations under the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act), which establishes a system of governance and accountability for expenditure of public resources, including for outsourcing. All procurement must be conducted in accordance with the Commonwealth Procurement Rules (CPRs), made under the PGPA Act. The CPRs mean that Commonwealth public sector entities must carefully approach the market and (among other requirements) select an appropriate outsourcing service provider that provides the best value for money for the Commonwealth. This means that procurement for outsourcing by Commonwealth public sector customers will usually involve detailed specifications and evaluation processes.

Similarly, State and Territory public sector entities and local governments are also required to comply with similar legislation and regulations that apply to procurement by these entities, including outsourcing.

“APP entities”

All customers (and service providers) that are “APP entities” must comply with the Privacy Act 1988 (Cth) (Privacy Act). Most Commonwealth public sector agencies and other private sector organisations are “APP entities” (there are some exemptions).

While the Privacy Act does not restrict outsourcing itself, its obligations in relation to the collection, use and disclosure of personal information may impact on the scope, methods and contractual obligations for an outsourcing arrangement.

Regulatory Frameworks Which Apply Because of the Customer’s Specific Industry

This section discusses applicable regulatory frameworks for three industries or sectors in Australia. There are, of course, many other sectors that have specific regulatory regimes.

Public sector customers

Public sector entities are, generally, responsible for the administration of a range of specific legislation, which can contain particular agency reporting obligations or restrictions on the use or disclosure of particular information collected or stored by that entity. These requirements or restrictions may apply directly to any outsourced service provider, or the relevant legislation may only permit the agency to disclose specific information to outsourced service providers in particular circumstances. If this is the case, an outsourcing arrangement would need to be consistent with those circumstances, which will generally require the inclusion of specific terms in the contract which regulate that aspect of the outsourcing arrangement.

Customers regulated by APRA

The Australian Prudential Regulation Authority (APRA), regulates entities which are often the customer in an outsourcing arrangement, including banks, authorised deposit-taking institutions, registered superannuation entities and general life and health insurers.

Entities regulated by APRA must comply with specific prudential standards and practice guides. These include the Prudential Standard CPS 231 Outsourcing, Prudential Standard HPS 231 Outsourcing and Prudential Standard SPS 231 Outsourcing, each of which sets out the rules and requirements for certain regulated entities to outsource a “material business activity”. A “material business activity” is one that has the potential, if disrupted, to have a significant impact on operations or the ability to manage risks effectively.

The Prudential Standards require:

  • customers to maintain minimum procurement standards and processes for outsourcing arrangements (including mandatory notification to APRA); and
  • for CPS 231 and SPS 231, certain requirements to be addressed in any outsourcing contract (including in relation to liability and indemnity, subcontracting and insurance).

Telecommunications sector customers

Telecommunications providers and internet service providers are regulated by a range of Australian legislation. For example, under the Telecommunications (Interception and Access) Act 1979 (Cth), customers are required to notify the Communications Access Co-ordinator of changes to a telecommunications service or system that are likely to have a material adverse effect on compliance with the legislative requirements. This expressly includes entering into certain outsourcing arrangements.

Government Policy Requirements

Commonwealth or State government policy requirements may also have an impact on outsourcing. The Digital Transformation Agency implements the Commonwealth’s ICT procurement policy, including through the Secure Cloud Strategy and some mandatory ICT panel arrangements.

The Commonwealth also requires consistency with PSPF and ISM security requirements (see 2.4 Penalties for Breach of Such Laws:"Commonwealth Security Policy Framework"). While these policy requirements do not directly affect a public sector customer’s ability to outsource, they can have an impact on the range of suppliers and the technologies that will be acceptable for use in outsourcing arrangements.

Similarly, some States and Territories have their own policy requirements and guidelines relevant to ICT outsourcing. For example, the Victorian Government has released its Information Technology Strategy, Victorian Government 2016-20, and a Cloud-based ICT Services Checklist Guideline. Similarly, the New South Wales Government has its Digital Government Strategy and NSW Government Cloud Policy.

Public sector customers are also required, by applicable government policies, to comply with many other requirements - from gender equality obligations, to encouragement of Australian industry participation, to strict access and audit requirements. While these policies principally apply to the customers themselves, some of them have an impact on service providers or on the way customers construct their contracts with service providers, ie, by contractually passing on the obligations so that the customer is able to meet legislative requirements that apply to it.

Most recently, the Commonwealth has implemented the Black Economy Procurement Connected Policy that applies to all non-corporate Commonwealth entities. Businesses tendering for contracts valued over AUD4 million (inclusive of GST) are required provide a statement from the Australian Taxation Office showing they have a satisfactory tax record. This policy affects large scale outsourcing projects and applies to both local and international providers.

Laws that Apply to Commercial Contracts Generally

Outsourcing arrangements are subject to a range of common law and Commonwealth and State and Territory laws that are applicable to commercial contracts generally (eg, laws restricting enforcement of unjust or unfair contracts and sale of goods and consumer protection laws.

A key protection for customers, which cannot be excluded by contract, is the prohibition of "misleading and deceptive conduct" under s 18(1) of the Australian Consumer law which is contained in Schedule 2 to the Competition and Consumer Act 2010 (Cth). This is a broad provision that prevents entities from engaging in conduct that is misleading or deceptive or is likely to mislead or deceive. It has been very broadly interpreted by the courts in a very wide variety of factual circumstances.

This is addressed in the response to 2.2 Industry Specific Restrictions on Data Processing or Data Security and 2.4 Penalties for Breach of Such Laws, which set out key privacy legislation.

Privacy

The Privacy Act is the main law in Australia governing how data is to be held and managed, but there are also State and Territory laws containing largely similar obligations. As discussed in 2.2 Industry Specific Regulations, compliance with the Privacy Act is mandatory for all APP entities, which may be both public and private sector bodies.

Under the Privacy Act, APP entities may only use personal information for the purpose for which that information was collected, unless the individual concerned has consented or one of a number of other specific exceptions apply. As there is no exception expressly permitting use or disclosure by an APP entity to another entity as part of an outsourcing arrangement, information flows, privacy notices and consent arrangements need to be carefully considered for any outsourcing transaction if the ICT service provider will be handling any personal information for the customer.

The Privacy Act also obliges APP entities to take steps, that are reasonable in the circumstances, to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Accordingly, security arrangements for any outsourcing transaction need to be reasonable and should be clearly documented.

The Privacy Act includes a mandatory notifiable data breaches (NDB) scheme, which obliges APP entities to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm (including recommendations of the steps the individual should take in response to the breach). The Office of the Australian Information Commissioner (OAIC), which administers privacy policies and enforces the Privacy Act, must also be notified. ICT outsourcing contracts increasingly include processes for consultation before any notification is made under the NDB scheme.

Special provisions apply to a contracted service provider (including a subcontractor) handling personal information under a Commonwealth contract. For example, an agency entering into a Commonwealth contract must take contractual measures to ensure that the contracted service provider does not do an act, or engage in a practice, that could breach an Australian Privacy Principle (APP) if done or engaged in by the agency.

The Privacy Act also creates a framework for the cross-border disclosure of personal information. Before an APP entity discloses any personal information to an overseas recipient, it must take reasonable steps to ensure the recipient does not breach the APPs and the disclosing entity generally remains accountable for any breach by the overseas recipient, unless an exception applies (for example, the OAIC has provided guidance in relation to the provision of some cloud services where the Australian APP entity does not release the handling of the information from its effective control). Accordingly, outsourcing transactions typically include carefully considered obligations and protections if overseas disclosure of personal information is contemplated.

Additionally, some specific legislative regimes prohibit certain data from being taken outside of Australia (for example, the My Health Records Act 2012 (Cth) specifically prohibits contracted service providers from holding or taking particular health and medical information outside Australia or processing or handling the information outside Australia).

Commonwealth Security Policy Framework

Commonwealth entities are required to comply with a number of policies that impose restrictions on data processing and data security (and there are similar obligations which apply in the States and Territories), including:

  • The Protective Security Policy Framework (PSPF): Compliance with the PSPF is mandatory for various Commonwealth public sector agencies. The PSPF sets out mandatory requirements for physical, personnel and information security including ICT systems. Agency heads are required to ensure that employees and contractors entrusted with their agency’s information and assets, or who enter their agency’s premises, are eligible to have access, have had their identity established, and will comply with the Australian Government’s policies, standards, protocols and guidelines that safeguard that agency’s resources (people, information and assets) from harm.
  • The Information Security Manual (ISM): Compliance with this is compulsory for a number of Commonwealth entities, and also for organisations that have entered into a deed of agreement with the Australian Government to have access to sensitive or classified information. However, the Australian Signals Directorate (ASD) encourages compliance with the ISM by all government entities (including State and Territory entities). The ISM requires that:
    1. agencies must only use outsourced cloud services listed on the ASD’s Certified Cloud Services List or must otherwise ensure that service providers’ systems are located in Australia if they store or process government information;
    2. agency data and computing environments must not be accessed, configured or administered from outside Australian borders by a service provider unless a contractual arrangement exists between the service provider and the customer to do so;
    3. service providers’ systems that are used to provide information technology services, including outsourced cloud services, must be accredited prior to handling government information; and
    4. any measures associated with the protection of information entrusted to another party must be documented in contract provisions, a memorandum of understanding or equivalent formal agreement between parties.

Other Regulation

Australian regulators are also becoming increasingly prescriptive on data and information security requirements (see APRA’s Prudential Standards, eg, CPG 235 managing data risk, which expressly deals with outsourcing of data management responsibilities, CPG 234 management of Security Risk in Information and Information Technology, and the Australian Securities and Investments Commission’s Report 429 Cyber resilience: Health Check). Customers may increasingly require outsourced ICT service providers to comply with these standards.

On 1 July 2019, APRA revised CPG 234 and CPS 234 and released both documents under CPG 234 Information Security and CPS 234 Information Security.

Penalties for Breach

There are a variety of penalties under various Australian and international legislation for breaches of privacy that may occur in Australia.

If the Australian Information Commissioner upholds a complaint regarding a breach of the Privacy Act, he or she may make a determination. This could be a determination that the party found to have committed the breach must perform acts to address any loss or damage resulting from the breach. A breach of the Privacy Act could also attract civil penalties of up to AUD2.1 million.

In addition to breaching the Commonwealth Privacy Act, a breach of privacy may also constitute a breach of State or Territory privacy legislation or of other Commonwealth, State or Territory legislation, such as health care, social security, education or national security legislation. A privacy breach in Australia may also constitute a breach of the European Union’s General Data Protection Regulation.

A breach of the PSPF would not attract monetary penalties, however, there would be internal consequences for any Commonwealth entity that failed to comply with the PSPF.

Increasingly strong contractual protections for customers in relation to data and security are being included in Australian outsourcing contracts. For example, contracts may now contain:

  • provisions requiring strict compliance with Privacy Act requirements, with clear obligations on both parties in relation to responsibility for collection, provision of required privacy notices, and obtaining of required privacy consents;
  • obligations to meet the customer’s policies and standards for privacy, data storage and handling and security, international standards, and/or any additional future security requirements as notified by the customer;
  • clear mechanisms to show or verify compliance (eg, audit rights);
  • clear limitations on the jurisdictions to which data and information can be transferred, with enforcement options and indemnities for privacy breaches in those other jurisdictions;
  • processes for immediate reporting and consultation in the event of any loss or destruction of customer information, cyber incidents (including actual, suspected or threatened actions or any unauthorised access) or other data breach;
  • requirements for the service provider to hold insurance with adequate protections for cybersecurity issues;
  • requirements for the implementation of cybersecurity and data protection plans;
  • supply chain integrity requirements; and
  • uncapped liability for privacy, data or other security breaches.

There is no standard supplier customer model in Australia for outsourcing contracts. There are several common outsourcing contract models that customers and suppliers use. These include:

  • Standing Offers or Head Agreements: these are contractual arrangements which establish the overarching legal framework between the customer and supplier under which orders or contracts can be placed or entered into on an as-needed basis (eg, they set out the standard terms and conditions that apply to each order or contract).
  • Single Contract: this is where the customer and supplier enter into a specific contract for the required services. Commonly, these arrangements involve the customer contracting with a single third party to provide the required services to the customer.

The form of the customer-supplier contract may be proposed by either the customer or the supplier and is likely to be negotiated in some cases. Although there is no standard contracting model, contracts may be based on the customer’s or supplier’s existing template or they may involve the creation of a bespoke contract which has been drafted for the specific services being outsourced.

Many public sector entities have established contracting templates for use when procuring ICT services. These include the Procure IT Framework which must be used by New South Wales Government agencies, the Queensland Information Technology Contracting (QITC) framework, and the Commonwealth government’s SourceIT contract suite. Further, some contracting templates are mandatory for use by certain public sector entities (eg, Commonwealth government agencies must purchase certain goods and services using mandatory whole-of-government arrangements).

Private sector entities often also maintain their own contracting templates for procurement.

Some models that have generally been used in Australia for outsourcing include:

  • Single Outsourced Provider: This involves a contract between the customer and an outsourced service provider. The outsourced service provider is required to provide the outsourced services to the customer. This is one of the most common contracting models used in Australia.
  • Multi-Sourcing: A variant on the single outsourced provider model, this model involves contracting with multiple outsourced providers to provide the outsourced services. This model allows the customer to select the best provider for each service being outsourced (eg, "best of breed approach").
  • Captive centres: A captive centre is an entity that is developed and resourced by the customer to perform the required services. This is often a subsidiary of the customer. The captive centre is typically located offshore or in a location that has lower overheads. This model is often used when a customer considers that its requirements are too complex or too sensitive to transfer to a third party. However, this arrangement is typically only beneficial to a customer that is large enough to justify the initial resources required to set up the captive centre.
  • Build-Operate-Transfer: Under this model, a customer contracts with a supplier in the target country to "build" the captive centre for the customer (eg, where the supplier has greater expertise or capability in the relevant location). Once the captive centre is established and operational, the supplier hands the captive centre over to the customer to operate. At this point, the customer may choose to have the service provider continue to operate the captive centre on their behalf or take over full management and operation of the captive centre themselves.
  • Joint Venture: Under this model, the customer and the supplier enter into an agreement to provide the services together where each party contributes capital or resources to the arrangement. Joint venture arrangements can be complex and may or may not involve the creation of a separate legal entity.

Captives and shared services centres are common across both the public and private sector in Australia for the provision of ICT and other common back-office services. Australian governments are increasingly establishing shared services centres for various back-office services.

Recent trends in relation to captives and shared service centres (according to the Deloitte Global Shared Services: 2019 Survey Report) include the following:

  • organisations are focusing on automation, digital services and the use of robotics to improve service offerings and efficiency by reducing the time and effort required for tasks that are considered mundane and labour-intensive;
  • operators of shared services centres are moving away from the strict provision of only what is requested by the customer. Instead a business model of looking for value-adds and providing business outcomes with a high impact is becoming more common; and
  • outsourcing industries are focusing on diversifying their offerings to cater for various needs of their clients.

Outsourcing arrangements are also increasingly concerned with appropriately allocating risk in respect of data security and privacy risks and compliance (including to ensure compliance with the Privacy Act, including the recent notifiable data breach notification requirements, the European Union’s General Data Protection Regulation and State and Territory based privacy regimes). For example, major global ICT providers have been establishing more on-shore data centres in Australia to meet customer demand and requirements for local infrastructure and storage of data (eg, to be able to satisfy government security and privacy requirements for government customers).

There are two main categories of customer protections and remedies that can be included in outsourcing contracts, being financial and non-financial.

Financial protections and remedies include the following:

  • Stop payment clauses: meaning an aggrieved customer is no longer required to pay the provider until a certain issue is resolved or remedied; and
  • Service Levels and Credits: meaning a reimbursement of or reduction in the amount payable by an aggrieved customer in the event that the provider fails to meet required service levels.

Non-financial protections and remedies include:

  • Step in rights: which allow an aggrieved customer to take over from the provider in the provision of certain services under the contract;
  • Reduction in scope: which allows an aggrieved customer to reduce the scope of the contract, and the corresponding contract price; and
  • Termination: which allows an aggrieved customer to terminate the contract for a (usually material) breach of the contract by the provider.

Under legislation, the most commonly used and effective protection of customers is the prohibition of "misleading and deceptive conduct" under s 18(1) of the Australian Consumer law which is contained in the Schedule to the Competition and Consumer Act 2010 (Cth). It has been very broadly interpreted by the courts in a very wide variety of factual circumstances. The remedies available to an aggrieved customer under this section include financial damages and an injunction to prevent or compel certain types of conduct.

Under the common law, an aggrieved customer may terminate a contract when there has been a material breach of the contract.

Otherwise, when a contract can be terminated is governed by the terms of the contract itself. There will generally be a right for the customer to terminate for material breaches. The detail of what constitutes a material breach is generally specified in the contract. It is common for some breaches to allow immediate termination and others to require the customer to give the supplier a notice of breach and opportunity to cure the breach.

There is generally either no right for the supplier to terminate the contract, or a right which will only arise if the customer has not paid an undisputed sum despite receiving a demand to do so. In some cases, there is also a right to terminate on provision of significant notice, so as to enable the customer to transition out.

In Government contracts in Australia, in which the government agency is almost always the customer, it is generally expected that the agency will have a right to terminate (or reduce the scope of) the contract "for convenience", eg, without there being a default by the supplier. This right has been derived from the doctrine of "executive necessity". It is, however, expected that the agency will exercise this right "in good faith" (eg, not just to move to a cheaper supplier) and will be liable to pay compensation, as specified in the contract, to the supplier.

Termination for convenience is rare in private sector contracts.

Both the supplier and customer can always terminate the contract by mutual agreement.

In both the public and private sectors, the following types of losses are generally recoverable:

  • direct losses. ie, those arising from a breach of contract; and
  • indirect, or consequential losses, ie, to the extent that they were reasonably contemplated by parties to the contract at the time of execution, as the likely result of a breach of the contract.

In the last decade, there has been less of a distinction drawn between direct and indirect loss in Australia. Instead, contracts (particularly major outsourcing contracts) are generally drafted in such a way that specific heads of loss are excluded or included.

Moreover, case law indicates that a contract can no longer expressly exclude all "indirect loss" or "consequential loss". Accordingly, it is common to see liability for the following types of losses being expressly excluded:

  • loss of profit;
  • loss of reputation; and
  • loss of good will.

Further, most contracts contain clauses in relation to:

  • proportionate liability (frequently seeking to exclude statutory regimes, to the extent permitted by law); and
  • contributory negligence or fault.

In addition, liability in outsourcing contracts may be capped or uncapped. The supplier’s liability in respect of some heads of damages is often capped.

It is common to see uncapped liability for losses incurred by the customer arising from the supplier beaching obligations in relation to fundamental matters such as work health and safety, security, data protection and intellectual property rights breaches.

Finally, it is important to note that in the public sector context, a non-corporate Commonwealth entity cannot grant an indemnity, guarantee or warranty without the consent of the Finance Minister. Similar rules apply to government agencies in a number of the Australian States and Territories.

Within public sector outsourcing contracts, there is generally an implied term of good faith imposed on the customer.

In the Commonwealth, officials are required to "exercise his or her powers, perform his or her functions and discharge his or her duties honestly, in good faith and for a proper purpose", in accordance with s 26 of the PGPA Act. Essentially, this means that Commonwealth officials should act in good faith when entering into or administering an outsourcing contract.

There are similar requirements that apply to government officials in a number of the Australian States and Territories.

In the private sector, an implied term of good faith will always be applied (Vodafone Pacific Limited v Mobile Innovations Limited [2004] NSWCA 15). However, the courts have shown that they may be willing to accept that:

  • a duty of good faith could apply as a matter of fact, particularly in circumstances where there is an existing relationship between the parties; or
  • if the duty of good faith is not applicable, the lesser duty of honesty and reasonableness may be applied.

With respect to other implied terms, under the common law, the following terms are often implied:

  • an implied term that assets or goods that are sold are of reasonable fitness for purpose and are also of merchantable quality; and
  • an implied term that, in the absence of a deadline in a contract, the relevant contractual obligation(s) should be discharged within a reasonable timeframe.

The various implied terms arising from sale of goods legislation and consumer protection legislation will generally not be applicable to outsourcing contracts.

Any transfer of employees between their old and new employers arising in the context of an outsourcing will involve the termination of their employment with the old employer and the offer and acceptance of employment with their new employer.

Coverage of the Fair Work Act 2009

Australian employers and employees are subject to a mix of Federal and State laws. The principal Federal statute, the Fair Work Act 2009 (Cth) (FW Act), does not apply to every employment relationship and, in particular, to certain employees employed within the State public sectors.

The principles in the FW Act, insofar as they are relevant to outsourcing, apply to "national system employees" and "national system employers". A "national system employee" is an "individual employed (or usually employed) by a national system employer, other than on a vocational placement" (s 13 FW Act). A "national system employer" is in turn defined (in s 14(1) FW Act) as any of the following entities:

  • a "constitutional corporation" – that is, ‘foreign corporations, and trading and financial corporations formed within the limits of the Commonwealth’, essentially any corporation within the private sector;
  • the Commonwealth;
  • a "Commonwealth authority" – that is, a body corporate in which the Commonwealth has a controlling interest, or which has been established for a public purpose under a Federal law;
  • a body incorporated in a Territory; and
  • any person who carries on an activity in a Territory and employs persons in connection with the activity carried on in the Territory.

Application to State employees

The coverage of the FW Act also extends to employment relationships in States that referred their industrial relations power to the Commonwealth (all States except Western Australia have referred, to a greater or lesser extent, their power to the Commonwealth) and operates subject to any carve out within the FW Act that preserves the application of State legislation (this includes, relevantly for these purposes, each State’s long service leave legislation (per s 27(2)(g) FW Act) – see further below).

There are specific limitations to this reference of power in Victoria. The FW Act has a broad application to the exclusion of mainly judicial officers and senior State executives or office-holders.

By contrast, the referral statutes in other States contain more substantial exceptions. For example, New South Wales, Queensland, South Australia and Tasmania each, in various ways, exclude their public sector workers, including, for example, law enforcement officers, from being treated as "national system employees". New South Wales, Queensland and South Australia do the same for their local government employees.

When an outsourcing is likely to have an impact upon non-national system employees, the laws of the relevant State or Territory should be addressed to determine the rules governing employee transfers within each specific jurisdiction.

Employee transfers under the FW Act

When there is an outsourcing involving the transfer of "national system employees", the transfer of business provisions in the FW Act may be enlivened. This can include an intra-group outsourcing.

A "transfer of business" occurs if the following conditions are satisfied (s 311(1) FW Act):

  • the employment of an employee with the old employer terminates;
  • within three months after the termination, the employee becomes employed by the new employer;
  • the work the employee performs for the new employer is the "same, or substantially the same", as the work the employee performed for the old employer; and
  • there is a "connection" between the old employer and the new employer.

An employee who satisfies the above criteria is classified as a "transferring employee".

Same, or substantially the same work

The work performed by an employee in the business of the old and new employer must be the same or similar for the transfer of business provisions to be enlivened.

Essentially, the employees terminated by the old employer must, within three months of the termination of their employment, be employed by the new employer to continue to perform work that is substantially the same as what they did previously in connection with the outsourced activities. This is a fact specific analysis and will vary on a case by case basis.

Connection between the old employer and the new employer

There will be a connection between the old employer and the new employer if, among other things, the transferring work is performed by one or more transferring employees, as employees of the new employer, because the old employer or an associated entity of the old employer, has outsourced the transferring work to the new employer or an associated entity of the new employer (s 311(1) FW Act).

The term "outsource" is not defined further in the FW Act, but is intended to have a broad application to any situation where the old employer decides that it no longer wishes to perform work of a particular type, or no longer wishes to perform as much work of a particular type, and so engages a third party to perform that work instead and that third party engages employees of the old employer to continue performing that work.

Implications of a Transfer of Business Under the FW Act

If a transfer of business occurs under the FW Act, the new employer will be bound by any ‘transferable instruments’ covering the transferring employees.

Under the FW Act, "transferable instruments" include any enterprise agreements that have been approved by the Fair Work Commission, as well as any individual flexibility arrangements made between the old employer and any transferring employee under the applicable enterprise agreement (s 312 FW Act).

Modern awards will also continue to cover the transferring employees for as long as they perform work which is covered by the modern award.

The FW Act does not prevent a transferable instrument from covering a new employer simply because the new employer cannot offer some of the terms and conditions included in the instrument or can only do so with some additional impost. This means that:

  • any existing enterprise agreement (including in respect of rates of pay and other prescribed conditions) will cover any transferring employees from the point at which they become employed by the new employer (assuming they become employed by within three months of the termination of their employment with the old employer and carry out the same, or substantially the same, work) (s 313(1)(a) FW Act); and
  • no other enterprise agreement that binds the new employer at the time of transfer will cover the transferring employees (s 313(1)(b) FW Act).

The new employer must also recognise transferring employees' period of service with the old employer (s 22.5 FW Act). The effect of this is that, for the purpose of some service-based entitlements, such as leave benefits, the transferring employees will continue to be entitled to the entitlements that accrued to them based on their period of service with the old employer, less any amount of those entitlements for which the transferring employee has already enjoyed the benefit (s 22.6 FW Act).

This means that (subject to the exceptions discussed below), the new employer is required to recognise, in respect of each transferring employee:

  • accrued but untaken annual leave under the FW Act;
  • accrued but untaken personal/carer's leave (which includes sick leave) under the FW Act;
  • the amount of notice of termination the transferring employee is entitled to under the FW Act, less the service for any period of notice given by the old employer (or paid out in lieu);
  • the amount of service that the transferring employee has for the purpose of determining eligibility for unpaid parental leave, or an employee's right to request flexible working arrangements, in both cases under the FW Act;
  • the amount of service that the transferring employee has for determining when the minimum period of employment ends under the FW Act; and
  • the amount of service that the transferring employee has for the purpose of calculating redundancy pay under the FW Act if the transferring employee is made redundant by the new employer at some later point in time.

There are three exceptions under the FW Act to the requirement that the new employer must recognise the transferring employees’ service with the old employer. The first relates to annual leave (s 91.1 FW Act), the second relates to redundancy pay (s 122.1 FW Act) and the third relates to determining when the minimum period of employment ends (s 384(2)(b) FW Act). The effect of the exceptions is that:

  • the new employer can elect to not recognise a transferring employee’s service for the purposes of annual leave and/or redundancy; and
  • the new employer can inform a transferring employee in writing before commencing employment with the new employer that the transferring employee’s period of service with the old employer will not be recognised for determining when their minimum period of employment ends. If the new employer does not recognise a transferring employee’s period of service with the old employer for this purpose, the transferring employee will not be permitted to make an unfair dismissal application if their employment is terminated during the first six months of their employment with the new employer.

The consequences for the old employer, should the new employer make any of the elections referred to above, are as follows:

  • the old employer will be required to pay to the transferring employees their accrued but untaken annual leave entitlements upon the termination of their employment with the old employer; and/or
  • the old employer may be required to pay redundancy pay to its employees.

As set out above, employees’ long service leave entitlements are governed by the long service leave legislation of the State within which the employees work (or predominantly work). Therefore, the implications for transferring employees’ long service leave entitlements in an outsourcing will be determined by the relevant State legislation.

There are no specific legislative requirements to inform or consult employee representatives in relation to outsourcing. However, outsourcing obligations may arise under an applicable industrial instrument (ie, a modern award or enterprise agreement). 

Industrial instruments can (and typically do) require consultation when decisions are taken that could have a "significant effect, or impact" on employees. A "significant effect" usually includes any termination of employees’ employment by reason of the outsourcing.

Failure to comply with information and/or consultation obligations in an applicable industrial instrument gives rise to a right for affected employees (or their trade union) to apply for remedies including compensation, reinstatement or an injunction. Penalties may also be imposed.

Additionally, if the old employer proposes to make 15 or more employees redundant as a result of the outsourcing, then certain statutory information and consultation obligations will apply. Further, there are statutory notifications containing information about the dismissals that must also be filed with the relevant Federal Government authority.

As described above, the mechanism by which employees are transferred upon an outsourcing is by operation of the termination of their employment with the old employer and re-employment by the new employer (ie, there is no concept of an "automatic transfer" in Australia). 

Although there is no statutory obligation to consult upon a "transfer" of employment, it is best practice, when there is an outsourcing involving the termination and re-engagement of transferring employees, to consult with employees and/or their representatives ahead of the relevant transfer to ensure that the offer and acceptance process runs smoothly and the new terms and conditions of employment with the new employer are adequately communicated to the transferring employees.

The nature, duration and conduct of the consultation process will vary depending on the nature of the outsourcing transaction and existing employee relations.

In both the public and private sectors, there are no general terms about the transfer of assets; these terms are entirely transaction specific. An outsourcing contract involving the transfer of assets would generally include terms relating to the following types of matters:

  • the cost of the asset;
  • the applicable payment regime;
  • the date on which the transfer of the asset will take effect;
  • warranties relating to the asset (including transfer of third-party warranties) – or exclusion of warranties and other liabilities;
  • indemnities relating to the asset – or exclusion of indemnities;
  • transfer of any licences, authorisations or approvals – or obligations to obtain them;
  • transfer of any maintenance arrangements or the like;
  • stamp duty liability for the asset, if applicable; and
  • if the asset is to be physically moved, obligations in respect of transport, insurance and risk during transit.

More generally, prior to entering into an outsourcing contract involving the transfer of assets, both parties will usually:

  • undertake thorough due diligence processes; and
  • ensure that the scope of the required assets has been determined and documented. 

An important issue for contracts involving the transfer of assets is ensuring that the transfer of ownership and the transfer of risk in respect of the asset occur at the appropriate time. It may not always be appropriate for the transfer of ownership and transfer of risk to occur at the same time, depending on the nature of the transaction.

Maddocks

Collins Square, Tower Two
Level 25, 727 Collins Street
Melbourne
Victoria
Australia
VIC 3008

+61 2 6120 4800

+61 2 6230 1479

info@maddocks.com.au www.maddocks.com.au
Author Business Card

Law and Practice

Authors



Maddocks is a leading Australian law firm with offices in Canberra, Melbourne and Sydney. The firm was founded in Melbourne more than 130 years ago, is one of the oldest in Australia, and now provides legal services to corporations, businesses and governments throughout Australia and internationally. Outsourcing is a key area of practise for the firm. Lawyers are engaged in outsourcing of a wide range of systems and processes for public and private sector clients. Much of that work is performed for government clients at the Commonwealth, State and Territory and local government levels. Services are provided by our leading public sector team to Commonwealth, State/Territory and local government clients and by our commercial team to a wide range of private sector clients. We advise on the full range of outsourcing-related transactions in sectors including technology and telecommunications, defence, building and construction and infrastructure, property and real estate, office services, warehousing and distribution, travel services, health services and training services.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.