New Disclosure Requirements under the new Privacy Amendment Bill
November 2023
The Privacy Amendment Bill (Bill) was recently introduced to Parliament at the beginning of September 2023.
The public will have an opportunity to have its say on the Bill by making submissions to the Justice Select Committee in 2024. As proposed, the amendments highlighted in this update will come into force on 1 June 2025. Further information on the Bill can be found in this link.
In this update, we summarise the key amendments proposed under the Bill and what organisations will need to do to comply with the Bill as and when the amendments come into force.
PRIVACY AMENDMENT BILL
Currently, the Privacy Act 2020 contains disclosure requirements in relation to the collection of personal information directly from individuals as detailed in Information Privacy Principle 3 (IPP3). The Office of Privacy Commissioner has now recognised that there needs to be increased transparency for personal information collected from other sources. The Bill seeks to address this by extending IPP3 through the introduction of Information Privacy Principle 3A (IPP3A).
The new IPP3A imposes new disclosure requirements on organisations collecting personal information from a source other than from the individual concerned. In summary, under IPP3A the organisation must, as soon as reasonably practicable, take reasonable steps to ensure that the individual concerned is aware of:
the fact the information has been collected;
the purpose for which the information has been collected;
the intended recipients of the information;
the name and address of the agency that has collected the information and is holding the information;
any law authorising or requiring the collection; and
the individual’s rights of access to, and correction of, the information.
The disclosure requirements above are the same as some of the requirements applicable to organisations collecting personal information directly from the individual concerned, as contained in IPP3.
The Bill provides for nine exceptions to IPP3A (five exceptions from IPP3 and four additional exceptions):
Five exceptions as set out in IPP3:
Non-compliance would not prejudice the interests of the individual;
Non-compliance is necessary:
to avoid prejudice to the maintenance of the law;
for enforcement of a law that imposes a pecuniary penalty
for the protection of public revenue: or
for the conduct of proceedings before any court or tribunal;
compliance would prejudice the purposes of the collection;
compliance is not reasonably practicable in the circumstances of the particular case; or
the information:
will not be used in a form in which the individual concerned is identified; or
will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.
Additional four exceptions for IPP3A:
the personal information collected is publicly available;
compliance would prejudice the security or defence of New Zealand, or the international relations of the Government of New Zealand;
compliance would reveal a trade secret; or
informing the individual concerned would cause a serious threat to public health or safety, or to the health or safety of another individual.
The Bill also provides that an organisation is not required to take the steps above if the individual has previously been made aware by any means of all the disclosure requirements above in relation to the organisation’s collection of the information.
KEY TAKEAWAYS
There are simple practical steps you can take to comply with these new disclosure requirements by 1 June 2025:
Update your privacy policy: Your privacy policy should set out whether information will be collected from third party sources and contain the other disclosure requirements detailed above.
Review your customer onboarding and engagement processes: You could embed the disclosure requirements above as part of your customer onboarding and engagement process.
Update your information management system:Your records relating to the collection of personal data should also include details of your source of information, whether directly or from a third party source.
Be prepared to deal with individuals without having a direct contractual relationship: You may be approached by an individual who is not your customer and who is requesting information you retain about her or him. You should set up verification processes for the disclosure of information to those individuals.
If you have any questions about privacy, or would like our help to comply with IPP3A, please get in touch.
Disclaimer: The information contained in this publication is of a general nature and is not intended as legal advice. It is important that you seek legal advice that is specific to your circumstances.