Agencies (eg companies and public sector agencies) that are subject to the New Zealand Privacy Act 2020 (Privacy Act) should take note of the introduction of the Privacy Amendment Bill (Bill) this week. The Bill seeks to address a perceived gap in the Privacy Act in relation to what happens when an agency collects personal information about an individual other than from the individual concerned (ie where personal information is collected from another agency).
To address this gap, the Bill introduces a new information privacy principle 3A (IPP 3A) relating to the indirect collection of personal information. This new IPP 3A closely mirrors the existing information privacy principle 3 (in relation to collection).
What does the new privacy principle require?
The new IPP 3A will require the agency collecting the relevant information indirectly through another agency to take steps that are, in the circumstances, reasonable to ensure that the relevant individual is aware of:
- The fact that the information has been collected
- The purpose of collection
- The intended recipients of the information
- The name and address of the agency (or agencies) that is collecting and holding the information
- If collection is authorised or required under law
- The particular law that authorises or requires that collection
- Rights to access and correct information under the Privacy Act.
These steps must be taken as soon as is reasonably practicable after the information has been collected (unless taken sooner), but are not needed if the relevant individual has previously been made aware of these matters (eg by the agency that originally collected the relevant information).
As is the case with the current information privacy principle 3, there are a number of exclusions from this disclosure obligation - for example, where non-compliance would not prejudice the interests of the relevant individual, compliance would prejudice the purposes of the collection, or compliance is not reasonably practicable in the particular circumstances.
In practice, we anticipate the privacy policies, statements and consent forms used by many agencies that collect personal information will already cover both direct and indirect collection, by addressing whether and how they are collecting information from other sources and/or disclosing information to third parties. For an agency that might need to do more work to ensure that it satisfies IPP 3A, the Bill (as currently drafted) gives that agency plenty of time to do so – IPP 3A will not apply to personal information collected before 1 June 2025.
The Bill also introduces a number of other more minor changes. Among these, is that when assessing whether the privacy laws of a country provide comparable safeguards to those in the Privacy Act, the Privacy Commissioner may assess the privacy laws of a country on the basis of the country being a member of a bloc of countries (eg being a part of the European Economic Area and so being subject to the EU General Data Protection Regulation).
The Bill has only just been introduced to Parliament, so will be subject to further review and debate through the legislative process. We will keep you updated as it progresses.