A Bill to amend the Privacy Act would place new requirements on agencies to notify people when their personal information is collected indirectly.
The Bill, first introduced to Parliament in mid-September 2023, seeks to amend the existing Privacy Act 2020 to address a “gap” in current data handling practices by introducing a new notification requirement for agencies collecting personal information other than from the individual concerned.
The stated aim of the Bill is to bolster transparency in the collection of personal information and empower individuals to assert their privacy rights more effectively. One of the key issues it is intended to address is that currently agencies are not required to notify individuals when they collect their personal information indirectly. In practice this can mean that people are unaware of ‘invisible’ processing of their personal information, and agencies have no obligation to set that out in their privacy statements or policies.
New information privacy principle – 3A
The Bill is split into two parts, with Part 1 introducing a new information privacy principle and Part 2 making minor amendments to the Act.
It proposes a new information privacy principle (IPP 3A) which would require agencies who collect information about an individual other than from the individual directly to notify the individual about the data collection as soon as is reasonably practicable.
Agencies collecting personal information in New Zealand are already required to let people know when information is being collected from them. Existing information privacy principle 3 (IPP3) requires agencies to, among other things, make individuals aware of what personal information is being collected from them, by whom, and why.
IPP3A will, if the Bill becomes law, make that same obligation apply even where personal information is collected indirectly (e.g. via a third party).
The Bill is intended to bring New Zealand’s privacy law closer to overseas privacy regimes, which may become increasingly relevant with cross-border flows of data made possible by technology and international trade. It is also no doubt relevant to the ongoing maintenance of New Zealand’s adequacy with international privacy practice.
Exceptions to notification
Just like with existing IPP3, IPP3A includes exceptions to notification, which agencies may at times need to rely upon for practical purposes.
The main exception to a new indirect collection notification requirement will be where the individual has already been made aware of the notification requirements (e.g. in a notice given when information was first collected from the individual). Other exceptions include where the agency believes on reasonable grounds that the information is publicly available, where non-compliance would not prejudice the interests of the individual, or where providing notice of collection may prejudice the interests of other parties.
The Bill’s intended addition to the Privacy Act is a meaningful step towards expanding privacy and individual rights, but it may not go far enough to keep up with international practice. In comparison to other more expansive privacy regimes such as the European GDPR, New Zealanders have limited rights to control the use of their personal information, being unable to rely on the law to restrict how their personal information is used and/or request that it be erased.
Additionally, the practical compliance costs and implications for agencies making these notifications of indirect collection will need to be carefully considered to ensure that those costs are not detrimentally passed on to consumers.
Our privacy and data protection specialists will be keeping a close on eye on the progress of this Bill after the 2023 election. It is expected that the public will be able to make submissions to the Justice Select Committee in 2024.
Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.