APRA imposes a number of obligations on regulated financial institutions and superannuation entities who enter into outsourcing arrangements involving material business activities to ensure they are subject to appropriate due diligence, approval and ongoing monitoring. Under Prudential Standard CPS 231 and Superannuation Prudential Standard SPS 231, regulated financial institutions and superannuation entities must appropriately manage all risks arising from outsourcing material business activities to ensure its obligations to its depositors and policyholders are met.

See Financial Services and Private Health Insurance — APRA regulations and Prudential Standards.

The transfer and use of personal data (including the transfer to an offshore service provider) in an outsourcing arrangement is governed by the Privacy Act 1998 (Cth) as amended. Where an outsourcing arrangement involves certain industries, in addition to the general privacy law, data will also be subject to the relevant industry regulatory framework and legislation. To ensure the service provider complies with the applicable privacy laws, the customer will include provisions in the outsourcing agreement requiring the service provider to use and store the data securely in a manner consistent with the laws and solely for the purposes of performing their obligations under the agreement. Provisions relating to allocating responsibility for response to, and investigation and notification of, data breaches should also be included in order to ensure that the customer is in a position to comply with its obligations under the Mandatory Data Breach Notification regime enacted by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth).

See Data Protection and data security.

The transfer of employees in an outsourcing arrangement may constitute a "transfer of business" under the Fair Work Act 2009 (Cth) if it involves certain circumstances and therefore subject the service provider to certain obligations in relation to recognising the employee's existing enterprise agreement, other industrial instruments and certain leave entitlements. If the outsourcing requires foreign employees to come to Australia to manage the outsourced operations, they must also ensure that they have obtained the necessary visas, if applicable, to enable them to do so.

See Labour and employment.

Work Health and Safety

The Work Health and Safety Act 2011 (Cth) provides a framework to protect the health, safety and welfare of all workers at work.

Under the act, the personnel of the customer are 'workers' and accordingly, the service provider has work place health and safety duties owing to those personnel. The customer should consider the different haz-ards and risks to health and safety at each stage of the procurement process.

An outsourcing arrangement may subject a customer and outsourcing service provider to a number of tax implications including possible withholding obligations, employee taxes, deductions, GST, transfer pricing requirements and income and capital gains tax. An offshore outsourcing service provider may also be taxed in Australia for income sourced in Australia, as derived from the outsourcing agreement, subject to any available double tax agreement which may provide relief.

See Taxation.

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), which comes into effect on 22 February 2018 will require entities to carry out assessments of suspected “'eligible data breaches”', and to prepare a statement and notify affected individuals and the information commissioner of eligible data breaches likely to cause serious harm to the individuals. Recent case law involving outsourcing also provides reminders of the need for accuracy in tender documentation and the need to adhere to employment regulations in outsourcing operations.

See Current legal issues.