The Privacy Amendment Bill was quietly introduced to Parliament this week.
The purpose of the Bill is to address the current legislative gap that arises because there is no requirement for an agency to notify an individual when it collects personal information indirectly (i.e., from a source other than from the individual concerned).
The Bill achieves this by introducing a new notification obligation on an agency when it collects personal information indirectly – the Bill amends section 22 of the Privacy Act 2020 to insert new information privacy principle 3A.
New IPP3A is largely based on existing IPP3, which deals with the collection of personal information directly from an individual. Under IPP3A, if an agency collects personal information from a source other than from the individual to whom the information relates, the agency must – as soon as reasonably practicable – take reasonable steps to ensure that the individual concerned is aware of:
• The fact of collection; and
• The purpose for which the information has been collected; and
• The intended recipients of the information; and
• The name and address of the agency that has collected the information and is holding the information; and
• Any law authorising or requiring the collection; and
• The rights of access to, and correction of, the information.
However, in some circumstances the individual concerned need not be informed of the above. These exceptions are the same that apply in respect of IPP3, with the addition of four further circumstances. Those additional circumstances are if the agency has reasonable grounds to believe that:
• The personal information collected is publicly available;
• Compliance would prejudice the security or defence of New Zealand, or the international relations of the Government of New Zealand;
• Compliance would reveal a trade secret;
• Informing the individual concerned of the above matters would cause a serious threat to public health or safety, or to the health or safety of another individual.
The notification requirements of IPP3A will also not apply if the agency that originally collected the information, when complying with its obligation under IPP3, notified the individual that the information would be disclosed to the other agency (i.e., the agency indirectly collecting the information) and of the matters listed above in relation to that other agency’s use.
Consequential changes are made to the Privacy Act 2020 so that references to IPP3 also include references to IPP3A e.g., as with IPP3, IPP3A will not apply to an agency that is an individual and is collecting personal information solely for the purposes of or in connection with the individual’s personal or domestic affairs.
The Bill provides that new IPP3A comes into force on 1 June 2025. This is to allow sufficient time for agencies to modify their systems and processes to enable compliance. New IPP3A will not apply to personal information collected before 1 June 2025.
Parliament has now risen for the election, so the Bill will not have its first reading until late this year (at the earliest).
An amendment to the Privacy Act to close the legislative gap arising from the indirect collection of personal information has been well signposted and is supported by the Privacy Commissioner, who has noted that the Bill would bring New Zealand into line with the Australian legal position. It is expected the Bill will proceed in some form following the election - regardless of the shape of the Government - but it will be interesting to see what commentary it generates, including as to the four new exceptions to notification.
Assuming the Bill passes its first reading, the public will be able to have their say on the amendment when the Select Committee process commences in 2024.
In the meantime, if you have any questions about the Bill and how it might impact your business, please reach out.