A new Privacy Amendment Bill was recently introduced to Parliament. The Bill proposes to insert a new Information Privacy Principle (IPP) 3A into the Privacy Act 2020, which would impose additional obligations on those who indirectly collect personal information about individuals.
The key purpose of the change, according to the explanatory note in the Bill, is “to improve transparency for individuals about the collection of their personal information and better enable individuals to exercise their privacy rights”.
Privacy legislation refers to those who collect personal information about individuals as “agencies” and we use that terminology in this article.
What changes are proposed?
Privacy legislation (in particular the existing IPP 3) already obliges agencies who collect personal information directly from an individual to notify certain things to that individual. The proposed IPP 3A would extend this requirement so that agencies which collect personal information indirectly would also be subject to similar obligations.
The new IPP 3A would apply to:
- all agencies (including natural persons and public and private organisations) which collect personal information about an individual from sources other than directly from the individual concerned,
- but only in respect of personal information collected on and after 1 June 2025 (i.e. it would not apply retrospectively).
An agency to which the proposed IPP 3A applies will need to ensure that the individual about whom information is collected is made aware of:
- the fact that the information has been collected;
- the purpose for which the information has been collected;
- the intended recipients of the information;
- the name and address of the agency that has collected the information and any agency holding the information;
- if the collection of the information is authorised or required by or under law, the particular law under which the collection of the information is authorised or required; and
- the individual’s right to access and correct information.
What exceptions are available?
There are a number of exceptions available which permit non-compliance with IPP 3A. Most importantly, an agency does not need to take the above steps if the individual concerned has previously been made aware of the matters noted above. For example, the exception may apply if an agency indirectly collects information about an individual from a third party, and that third party has previously notified the individual (in an adequate manner) that his or her information will be disclosed to the agency and also as to the matters noted above.
There are also some further exceptions, some of which are similar to those that apply in respect to IPP 3, and some which are additional grounds available for IPP 3A only. For example, an agency does not need to comply with IPP 3A if the agency believes on reasonable grounds that:
- the information being collected indirectly is publicly available;
- compliance would reveal a trade secret; or
- informing the individual concerned of the matters specified in IPP 3A would cause a serious threat to public health or safety, or to the health or safety of another individual.
What does this mean for you?
If the Bill is passed into law, agencies will need to consider their information collection processes. This could include considering what steps can be taken to make individuals aware that their personal information is being collected indirectly. If information is collected through an intermediary, a key question will be does the individual concerned know?
The proposed changes may also lead agencies to review their contractual arrangements with such third parties to ensure privacy obligations are considered. Privacy policies would need to be reviewed to ensure they clearly state what indirect sources are being used to collect personal information and to whom personal information will be disclosed.