The proposed changes, which have been welcomed by the Privacy Commissioner as “fundamental to protecting the privacy rights of individuals”, are likely to have significant implications for many businesses and the design of their data governance strategies.
This article summarises the key features of the proposed amendments under the Bill, and their implications.
Key features of the Bill
The Bill amends the Privacy Act 2020 by altering the information privacy principles (“IPPs”) that govern the collection, use, storage and disclosure of personal information. While in most circumstances the Privacy Act requires that personal information must be collected directly from the individual concerned (under IPP 2), indirect collection is permitted in some circumstances (for example, where it causes no prejudice to, or is authorised by, the individual concerned). IPP 3 separately requires that agencies must take reasonable steps to notify individuals about the collection of their information and other specified matters – although currently this only applies in relation to direct collection, and there is no corresponding requirement in relation to indirect collection. The Bill seeks to address that regulatory “gap” by introducing a new notification obligation in relation to indirect notification. Specifically:
- A key exception is that an agency will not be required to comply with IPP 3A where the individual concerned has previously been made aware of the relevant matters (for example, by the original agency who first collected the personal information). In practice, we expect that that change is likely to result in more detailed descriptions in privacy policies regarding third parties to whom information may be disclosed. The Bill does not clarify the extent of disclosure required for this purpose (and whether a general statement regarding certain categories of recipients is sufficient, or specific identification of particular recipients is required).
- IPP 3A will also be subject to a number of other practical exceptions to ensure the efficient administration of certain public functions and to protect against unintended consequences. In most cases the exceptions reflect those which apply currently for direct collection (for example, where non-compliance would not prejudice the individual, or is necessary for law enforcement). In addition, agencies will not need to comply with IPP 3A if they reasonably believe that the information is publicly available or that compliance would: (a) prejudice national security, defence, or international relations; (b) reveal a trade secret; or (c) cause a serious threat to health or safety.
The changes are intended in part to align with international practice. In particular, the background discussion paper issued last year by the Ministry of Justice (here), noted that:
- The EU’s General Data Protection Regulation (GDPR), requires that individuals must be informed of the processing of their personal information regardless of whether it is collected directly or indirectly, and in a clear and accessible form.
- Australia’s Privacy Act 1988 provides generally for notification of collection, regardless of the manner of collection.
- The United Kingdom Data Protection Act 2018 sets out a general notification obligation applicable to agencies collecting personal information, including where that is collected indirectly.
Timing and Process
In terms of next steps, a consultation period is expected in 2024. The Bill envisages that the new obligations will come into force on 1 June 2025 (anticipated to be at least 6 months after the date of Royal assent) to allow time for agencies to modify their systems and processes to enable compliance with new IPP 3A. New IPP 3A will not apply retrospectively to personal information collected before 1 June 2025.
In an era where the value of data is increasingly prized, the proposals under the Bill create a fresh set of challenges and opportunities for businesses in New Zealand who rely on indirect collection of personal information. While the amendments are relatively targeted, we expect they may have significant implications for businesses’ data governance strategies and ongoing product design decisions. Businesses should start preparing for the proposed changes well in advance, and should consider in particular:
- How will the business discharge the proposed obligations? Will the business rely on clear disclosure by the original agency who first collected the information, or will the business design new processes to ensure that it provides the notification directly? If the latter, how will that be designed in a way that is compliant but also not invasive or surprising to the relevant individuals?
- How will the exceptions apply in practice? The explanatory note to the Bill provides as an example that where a gun club indirectly collects information about a member that is alarming, it could avoid direct notification where informing the member could create a threat to public safety. However, that is a relatively narrow example and there will be a wide range of other contexts for businesses to consider.
These issues will require careful thought and, in the fast-evolving data landscape, proactive engagement is crucial. Businesses should be prepared to participate in the consultation phase in 2024 to ensure that their submissions can help shape the final version of the Bill.
Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team have been monitoring these developments closely. If you have any questions about the matters raised in this article or how the Bill might impact your business, please get in touch with the contacts listed or your usual Bell Gully adviser.