To run a successful business, you need to have well-functioning IT services to manage your internal operations as well as customer-facing activities. Before you can implement those services, you will have to sign an information technology (IT) services contract.

However, many IT services will provide you with standard contracts that will try to minimise any liabilities and burden you with unnecessary costs. Therefore, you should carefully review your contract to see if you can negotiate terms that are more favourable to your business’ operating needs. This article will explain the five key areas that you need to review in an IT services contract.

Data Protection

Your IT provider should promise to:

Your contract should also include an indemnity clause that holds your service provider responsible for data breaches that they cause. Ideally, the indemnity should cover the liability of third parties they use to provide services to you. However, you may find your IT services provider will not include third parties for insurance reasons. 

Personal Information

Your IT services provider is likely to handle or access any personal information belonging to your business or your employees. The contract should reassure you that your IT services provider will handle the personal information responsibly. 

The contract should cover whether your business has to comply with privacy laws, such as the Privacy Act 1988. You may have to report eligible breaches to the Office of the Australian Information Commissioner (OAIC) as soon as practicable. You must also notify any affected customers.  

An eligible breach is a breach that can have serious consequences for any individual to whom the information relates. In addition, you have not been able to take steps to prevent the likely risk of serious harm.

Your contract should set out exactly how your IT services provider will respond to a serious data breach involving personal information. You cannot presume your IT services provider will notify you when a data breach occurs. 

For example, if your IT services provider becomes aware of a serious data breach, they should notify you and provide all relevant information. You will also want them to contain the breach and find out if they had caused the breach. If so, your contract should have an indemnity that holds them responsible for that breach.  


Your IT services provider may receive confidential information or have access to confidential information when providing their services. Either way, you want the IT services provider to use and access that confidential information as required to provide their services. Your IT services provider should obtain your written permission before they are allowed to disclose the information to third parties. 

You may also require your IT services provider to return and destroy all of your confidential information when the contract ends. Confidentiality clauses continue to work even if the contract ends for any reason. Therefore, your IT services provider must continue to keep your information confidential. 

Third Party Intellectual Property Claims

As part of providing their services to your business, your IT services provider may use other services. If they have used or modified the intellectual property (IP) of those services improperly, someone may sue your business for IP infringement. 

Therefore, you should ensure the contract includes a warranty by your IT services provider that they have the correct licences and rights to use any IP as part of their services. Your contract should also have an indemnity that makes the IT services provider responsible for any IP claims and associated legal costs.

For example, your IT services provider customises a software as a service (SaaS) platform that is white-labelled as your own. They manage the platform as part of their services. An unrelated party sues you for copyright infringement based on the code of the software. As you did not provide the code, your IT services provider should be liable for the claim and responsible for their legal costs.

Indirect Loss

An IT services provider’s contract is likely to exclude their liability for indirect loss. There is a difference between indirect and direct loss. Direct loss usually concerns immediate losses following an event. Indirect loss refers to any loss that could occur following an event but is not guaranteed to happen. 

For example, your IT services provider fails to secure your data, leading to a data breach. Direct loss in this situation is the cost of containing the breach and fulfilling your data breach reporting obligations afterwards. Indirect loss is the potential loss of profit and damage to reputation that may be caused by customers avoiding your services following the breach. However, these indirect losses do not always occur following a data breach. Those losses may depend on many factors, such as your existing reputation and the seriousness of the data breach. 

Therefore, you should ensure the contract has not excluded the IT services provider’s liability for indirect loss. However, you may discover the clause is a mutual arrangement that covers both you and the IT services provider. Consequently, you may be liable for any indirect losses if you breach the contract. You may want your IT services provider to be held liable for certain indirect losses, such as indirect loss relating to data breaches. 

Practical Tips for Contract Review

An IT services provider will usually provide a standard contract for you to sign before supplying any service. Besides looking out for key areas of risk, you should also following these practical tips when reviewing your contract. These tips include:

  1. asking for a copy of the contract in writing so you can review the contract;
  2. taking time to review the contract;
  3. allowing other employees from your business to review the contract as they may point out concerns that you had not considered;
  4. checking what services are provided, as well as any warranties, indemnities and limitation of liability clauses that favour the IT services provider;
  5. preparing to negotiate these clauses or other clauses of the contract; and
  6. seeking independent legal advice if you are not sure.

Key Takeaways

If you are signing a contract with an IT services provider, you should look out for the following five key areas of concern, such as: 

  1. data protection;
  2. personal information;
  3. confidentiality;
  4. third party IP claims; and
  5. indirect loss.

If you have any questions or need your IT services contract reviewed, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Jacqueline Gibson
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy