The Government has released the Privacy Amendment Bill (Bill) to broaden the notification requirements under the Privacy Act 2020 (Privacy Act), which follows consultation on the topic by the Ministry of Justice last year.
The Bill will affect any agency that collects personal information indirectly through other agencies. However, the amendment does not apply to personal information collected before 1 June 2025.
You can read the Bill here.
What are the current notification requirements?
For a summary of the current notification requirements and why the Ministry of Justice considered an amendment, please see our previous update here.
Key amendment under the Bill
The Bill introduces a new information privacy principle 3A (IPP 3A) relating to the indirect collection of personal information. IPP 3A supplements IPP 3, which deals with the direct collection of personal information. The Government is of the view that IPP 3A addresses a gap in the existing notification regime, as there is currently no requirement for an agency to notify an individual when it collects personal information about that individual directly from other sources (for example, a third-party agency).
IPP 3A provides that if an agency collects personal information about an individual other than from the individual concerned, the agency must take steps that are, in the circumstances, reasonable to ensure that the individual concerned is aware of:
- the fact that the information has been collected;
- the purpose for which the information has been collected;
- the intended recipients of the information;
- the name and address of the agency that has collected the information and the agency that is holding their information;
- if the collection of the information is authorised or required by or under law, details of that particular law; and
- the rights of access to, and correction of, the information.1
Similar to IPP 3, there are also certain exceptions under IPP 3A. These are largely the same as the exceptions under IPP 3 with the following new exceptions:
- the personal information is publicly available;
- compliance with IPP 3A would prejudice the security or defence of New Zealand or the international relations of the Government; or
- compliance with IPP 3A would reveal a trade secret.
Practical issues with compliance
For a number of agencies, compliance with IPP 3A will raise practical challenges when those agencies do not have existing relationships with the individuals whose information they have collected indirectly. Individuals may be surprised to receive notifications that Party X now holds their information, which could lead to scrutiny over whether the disclosing third party had adequate grounds to make such a disclosure.
However, we expect that, for most businesses, there will be increased scrutiny on how and when they tell individuals that their information is being collected. This raises a number of issues of whether privacy policies are the correct "vehicles" for compliance with IPP 3A, and it will require most businesses to review their existing privacy policies.
We will be monitoring developments and will provide a further update when the Bill has been passed into law. In the meantime, if you would like any advice regarding how the Bill might affect you, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.