A move to expand the Privacy Act’s notification regime

18 Sep 23

The Government has introduced the Privacy Amendment Bill proposing changes to the current notification regime under the Privacy Act 2020.

The proposed changes

Transparency regarding the collection, use and disclosure of personal information is fundamental to protecting individuals’ privacy rights and their dignity and autonomy.

Under information privacy principle (IPP) 3 of the Privacy Act 2020 (Privacy Act), if an agency is collecting information from an individual, that agency must take steps that are reasonable in the circumstance to ensure the individual concerned is notified of certain aspects of the collection (i.e., the intended recipients of the information, the individual’s right to access and request correction of their information).

The Privacy Amendment Bill (Bill) proposes to broaden notification requirements so that they would also apply when agencies collect information about an individual indirectly (i.e. from a source other than from the individual to whom the information relates).

The amendments are intended to fill the “current gap that arises because there is no requirement for an agency (public or private) to notify an individual when it collects personal information about the individual indirectly (i.e., from a third party source other than from the individual concerned).[1]

The Bill proposes to expand the current notification regime to apply to indirect collection through the introduction of a new IPP 3A. IPP 3A will closely mirror the requirements of IPP3. The exceptions to compliance with IPP 3A are also generally the same as those applicable to IPP 3, however the following new exceptions have been introduced:

  • the relevant information is publicly available information;
  • compliance would prejudice either the security or defence of New Zealand or the international relations of the Government;
  • compliance would reveal a trade secret; or
  • compliance would cause a serious threat to public health or safety; or the health or safety of another individual.

IPP3A will not apply to personal information collected before 1 June 2025.

What this means

The proposed changes will require further action by agencies who collect personal information indirectly. There will no doubt be practical challenges for businesses who do not have direct relationships with many individuals whose personal information they hold. We expect that most businesses will need to review (1) their existing privacy policies to consider whether appropriate disclosures have been made; and (2) contracts with parties who disclose personal information to the business, to ensure appropriate warranties are provided in respect of the disclosures made to relevant indivuduals.

We will also be keeping a watching brief on whether these amendments have any impact on confirmation of New Zealand’s adequacy status in relation to EU data transfers. Review of New Zealand’s adequacy status was initially scheduled to be completed in May 2020, however New Zealand continues to wait for the final outcome of the European Commissioner’s decision.

[1] Explanatory note, Privacy Amendment Bill.

 

Want to know more?

If you have any questions about the Bill how it might impact you or your business, please contact our specialist Technology & Digital team.

PDF version: here.