Your Vendors Are Your Liability: How to Audit Third-Party Privacy Risk in Your Supply Chain
Think your business is privacy compliant? Your vendors might not be. Learn how to audit third-party privacy risk with practical steps from an experienced Privacy Lawyer.
Table of contents
Share
Supply Chain Privacy Risk is the Fastest Growing Governance Risk
You have a privacy policy. You have trained your staff. You have solid internal controls. But do you know what your suppliers, software vendors and outsourced service providers are doing with your customers' data? If the answer is uncertain, you are likely carrying significant regulatory and financial risk and may be overdue for a vendor privacy audit.
For most Australian businesses, the honest answer is: not really.
This is one of the most significant, and most overlooked, privacy risks facing business owners today. The Privacy Act 1988 (Cth) does not let you off the hook simply because a third party caused a breach. If you gave them the data, you may be on the hook for what they did with it. It is a point that privacy lawyers across Australia, and our team here in Melbourne, regularly raise with clients who are surprised by the extent of their liability.
Why Third-Party Privacy Risk Is Escalating
Modern businesses are deeply dependent on third-party software and services. Think about the tools your business uses day to day:
CRM and marketing platforms that store customer names, emails and purchase history
Cloud accounting software that holds employee and supplier financial data
Offshore IT support providers with remote access to your systems
HR platforms managing sensitive employee records
Payment processors handling financial information
Every vendor is a potential privacy vulnerability. Under Australian law, you are responsible for ensuring that anyone who handles personal information on your behalf does so appropriately.
The Office of the Australian Information Commissioner (OAIC) has made it clear: ignorance of what a third party does with data is not a defence. The obligation to protect personal information follows the data — not just the organisation that originally collected it. A structured privacy audit of your vendor relationships is how you demonstrate that you understood this obligation and acted on it.
What Australian Privacy Law Actually Requires
Under Australian Privacy Principle 8 (APP 8), before you disclose personal information to an overseas third party, you must take reasonable steps to ensure that party will handle the information in compliance with the APPs. Reasonable steps generally means detailed contractual clauses and active auditing of your suppliers, not simply a box-tick at onboarding. If you don't take those steps, you are liable as if you had breached the APPs yourself.
Even for domestic third parties, APP 11 requires you to take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, including when that information is in the hands of your service providers. Sending personal information to a third party you know is insecure or that has a history of data breaches can become your breach.
Many standard vendor contracts don't come close to meeting this standard. A generic "we take security seriously" clause is not enough. Detail is required, and this is an area where advice from a privacy lawyer can make a material difference to what ends up in your contracts.
The Four-Step Privacy Audit for Your Vendor Relationships
Step 1: Map Your Vendors
The first step in any privacy audit is visibility. List every third party that has access to personal information you hold. This includes:
Software-as-a-service platforms (especially free tools. if you're not paying, your data is the product)
Outsourced functions like payroll, IT support, marketing and customer service
Cloud storage and email providers
Any party you send data to, even for analytics or reporting purposes
For each vendor, document: what personal information they access, whether data is transferred or stored overseas, and what their privacy credentials and certifications look like. This data map is a foundational document in any privacy audit.
Step 2: Review Your Contracts
Your contracts with third parties should include specific, enforceable privacy obligations. This is one of the most common gaps our privacy lawyers identify when conducting vendor privacy audits. At a minimum, look for:
A requirement to comply with Australian privacy law
Restrictions on how the vendor can use your data, including within their IP licence clauses; they should only use it to provide the agreed service, not for their own purposes
Notification requirements if a data breach occurs involving your data
Data deletion obligations when the contract ends
Minimum security standards the vendor must maintain
Your right to audit the vendor's compliance
If these clauses are missing, you have a gap that needs to be fixed. Don't assume a vendor's standard terms protect you; they are written to protect the vendor.
Step 3: Ask the Right Questions
Before onboarding a new vendor, or renewing an existing relationship, these are the questions worth asking:
Where is our data stored and processed?
Who within your organisation has access to our data?
Do you engage subcontractors or sub-processors who may also access our data?
What security certifications do you hold (e.g. ISO 27001, SOC 2) and when were they last assessed?
How would you notify us if there was a data breach involving our data?
Do you have a current privacy impact assessment for your product or service?
A reputable vendor will answer these questions readily. Evasive or incomplete answers are a red flag and a prompt to seek legal advice before proceeding.
Step 4: Establish Ongoing Oversight
A privacy audit of your vendors is not a one-time exercise. Businesses change, software is updated, and Australian privacy laws continue to evolve. Build in:
Annual privacy auditing of your key vendors
Annual contract reviews to ensure privacy clauses remain fit for purpose
Periodic re-assessment of your highest-risk vendor relationships
A process for reviewing vendor privacy policies when they are updated
Clear internal ownership of third-party privacy risk
The Cost of Getting It Wrong
The consequences of inadequate vendor oversight are real and traceable. The OAIC has demonstrated a willingness to follow breaches back through the supply chain. The Federal Court's $5.8 million penalty in the Australian Clinical Labs case, involving a breach that occurred in a business they had recently acquired, is a clear reminder that inherited and delegated data risk carries genuine financial consequence.
That is before you factor in customer remediation costs, reputational damage, and the executive time absorbed by an investigation.
The cost of a thorough vendor privacy audit is a fraction of the cost of a single significant breach.
When to Seek Advice from a Privacy Lawyer
Some vendor privacy reviews can be managed internally. Others, particularly where you are dealing with high-risk data categories (health, financial, biometric), complex offshore data flows, or material gaps in existing contracts, benefit from the involvement of a specialist privacy lawyer. Across Australia businesses are finding that legal input at the vendor review stage is far less expensive than legal input during a breach response.
A privacy lawyer can help you draft enforceable privacy clauses, assess your APP 8 compliance for overseas transfers, and identify which vendor relationships carry the most regulatory exposure. That assessment becomes part of your documented, defensible compliance record, exactly what regulators look for when investigating how a breach occurred and whether the organisation took reasonable steps to prevent it.
The Bottom Line
Your privacy obligations do not stop at your own front door. Every business you share personal information with is an extension of your privacy risk profile. A structured vendor privacy audit is how you understand and manage that risk, before a regulator or a breach forces you to.
Start with your top five highest-risk vendors – those with access to the most sensitive data or the largest volumes of personal information – and work from there. The goal is not perfection overnight. It is building a defensible, documented, and improving approach to third-party privacy risk.
When a regulator comes knocking, what they want to see is not just good intentions. They want evidence that you took reasonable steps. A vendor audit program, supported by sound contracts and clear internal ownership, is that evidence.
