Privacy update: Submissions open on new “indirect collection” requirements

16 May 2024

Submissions have opened on an amendment bill that proposes new requirements to notify individuals when their personal information is collected indirectly by third parties.

For further details of the new requirements, which would involve the creation of a new “information privacy principle” (IPP), please see our previous article here.

Summary of the changes

In summary:

  • Currently, IPP 3 requires that agencies must take reasonable steps to notify individuals about the collection of their information and other specified matters – although currently this only applies in relation to direct collection, and there is no corresponding requirement in relation to indirect collection. The bill seeks to address that regulatory “gap” by introducing a new notification obligation in relation to indirect notification.
  • New IPP 3A will require a collecting agency to notify an individual of a range of matters when collecting the individual’s information indirectly, including the name and address of the agency and the purposes for which the information is being collected.
  • A key exception is that an agency will not be required to comply with IPP 3A where the individual concerned has previously been made aware of the relevant matters, for example, by the original agency who first collected the personal information.
  • In practice, this is likely to result in more detailed descriptions in privacy policies regarding third parties to whom information may be disclosed. The bill provides the following example:
An agency (A) has collected personal information from the individual concerned. A has disclosed the information to another agency (B).
B, after collecting the information, is not required to comply with subclause (1)
[i.e., the notification requirements under IPP 3A] if A, when complying with IPP 3, notified the individual concerned that the information would be disclosed to B and of the matters in subclause (1) in relation to B’s collection of the information.
  • The bill does not clarify the extent of disclosure that is required by party A for this purpose, and whether a general statement regarding certain categories of recipients is sufficient, or if specific identification of particular recipients is required.

IPP 3A will also be subject to a number of other practical exceptions to ensure the efficient administration of certain public functions and to protect against unintended consequences. For example, agencies will not need to comply with IPP 3A if they reasonably believe that the information is publicly available or that compliance would: (a) prejudice national security, defence, or international relations; (b) reveal a trade secret; or (c) cause a serious threat to health or safety.

Next steps

Submissions are due by 14 June 2024.

If enacted, the new law is intended to come into force on 1 June 2025 (anticipated to be at least six months after the date of Royal assent) to allow time for agencies to modify their systems and processes to enable compliance with new IPP 3A.

It will be important for any business involved in the collection and disclosure of personal information to consider the implications of the bill carefully, and whether the proposed exceptions are sufficiently broad to minimise disruption to current data collection practices. The full text of the bill is available here.

Bell Gully’s Consumer, Regulatory and Compliance (CRC) Team have been monitoring these developments closely. If you require any assistance with a submission or if you have any questions about the Bill or how it might impact your business, please get in touch with the contacts listed or your usual Bell Gully adviser.

Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.