For further details of the new requirements, which would involve the creation of a new “information privacy principle” (IPP), please see our previous article here.
Summary of the changes
In summary:
- Currently, IPP 3 requires that agencies must take reasonable steps to notify individuals about the collection of their information and other specified matters – although currently this only applies in relation to direct collection, and there is no corresponding requirement in relation to indirect collection. The bill seeks to address that regulatory “gap” by introducing a new notification obligation in relation to indirect notification.
- New IPP 3A will require a collecting agency to notify an individual of a range of matters when collecting the individual’s information indirectly, including the name and address of the agency and the purposes for which the information is being collected.
- A key exception is that an agency will not be required to comply with IPP 3A where the individual concerned has previously been made aware of the relevant matters, for example, by the original agency who first collected the personal information.
- In practice, this is likely to result in more detailed descriptions in privacy policies regarding third parties to whom information may be disclosed. The bill provides the following example:
| An agency (A) has collected personal information from the individual concerned. A has disclosed the information to another agency (B). B, after collecting the information, is not required to comply with subclause (1) [i.e., the notification requirements under IPP 3A] if A, when complying with IPP 3, notified the individual concerned that the information would be disclosed to B and of the matters in subclause (1) in relation to B’s collection of the information. |
- The bill does not clarify the extent of disclosure that is required by party A for this purpose, and whether a general statement regarding certain categories of recipients is sufficient, or if specific identification of particular recipients is required.
IPP 3A will also be subject to a number of other practical exceptions to ensure the efficient administration of certain public functions and to protect against unintended consequences. For example, agencies will not need to comply with IPP 3A if they reasonably believe that the information is publicly available or that compliance would: (a) prejudice national security, defence, or international relations; (b) reveal a trade secret; or (c) cause a serious threat to health or safety.
Next steps
Submissions are due by 14 June 2024.
If enacted, the new law is intended to come into force on 1 June 2025 (anticipated to be at least six months after the date of Royal assent) to allow time for agencies to modify their systems and processes to enable compliance with new IPP 3A.
It will be important for any business involved in the collection and disclosure of personal information to consider the implications of the bill carefully, and whether the proposed exceptions are sufficiently broad to minimise disruption to current data collection practices. The full text of the bill is available here.
Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team have been monitoring these developments closely. If you require any assistance with a submission or if you have any questions about the Bill or how it might impact your business, please get in touch with the contacts listed or your usual Bell Gully adviser.