Guidance

Upcoming Privacy Act amendments

There are a couple of bills before Parliament that will amend the Privacy Act 2020, and may require some action on the part of Privacy Officers to make sure their agency stays compliant.

The Privacy Amendment Bill is currently before Parliament, and will introduce a new Information Privacy Principle, IPP3A and make some other amendments.

Introducing IPP3A

The new IPP3A has been added primarily to maintain our hard fought for status of ‘adequacy’ in respect of GDPR by introducing a new and explicit obligation around indirect collection of personal information.

It will address a current transparency gap in the law where there is no requirement for an agency to notify an individual when it collects personal information about the individual indirectly (ie from a third party). This means an individual may not know that an agency holds their personal information.

Reflecting the obligations under IPP3 with respect to direct collection, the new IPP3A will require the collecting agency to notify an individual of a range of matters when collecting their information from a third party, including the name and address of the agency, the purposes for which the information is being collected, and the rights of access to, and correction of, the information. Also reflecting how IPP3 operates, IPP3A is also subject to a number of practical exceptions where the notification obligation will not apply (eg where the information is publicly available or where complying would prejudice the maintenance of the law).

Importantly for many agencies who may be wondering how they can practically meet this new obligation, they won’t be required to notify individuals if the individual concerned has previously been made aware of the required information (for example, by the agency who did collect the information from them directly).

So for agencies that do receive personal information indirectly it will be important to ensure that the agency who is collecting it directly and then passing it along has told individuals the required information about who will receive it and what they will use it for.  Of course they should already be doing this to comply with their own IPP3 obligations, but it will be sensible for receiving agencies to check (and if necessary make this subject to a contractual obligation).

Likewise, agencies that collect information directly and pass it on to other agencies should review their own privacy statements to make sure they are accurate and up to date in this respect (which may involve checking with the recipient agency as to their intended uses of the information).

The new IPP3A is currently intended to take effect with respect to personal information collected from 1 June 2025 (subject to it making its way through the parliamentary process as expected.)

Extension of withholding grounds

As well as  some technical amendments, the Bill also extends two of the available grounds for refusing an individual’s request for their personal information.  It extends the existing ability to refuse access under s49(1)(c ) to a requester aged under 16 on the basis providing the information would be contrary to their interests to also allow refusal if relating the information would be contrary to the interests of another under 16year old.

Likewise, the ability to refuse a request under s49(1)(d) on the basis that providing it to their request would prejudice the safe custody or rehabilitation of a requester who has been convicted of an offence and is (or was) in custody has been extended to allow refusal if release would similarly impact another person also convicted of an offence or is (or was) in custody.

These extensions provide an alternative ground for refusal to the existing ground under s53(b)(1) ie where refusal is on the basis that providing the information would be an unwarranted disclosure of the affairs of another.

Statutes Amendment Bill

The other piece of legislation amending the Privacy Act is the Statutes Amendment Bill which makes a number of interesting tweaks to the Act.  These include reinstating a ground for refusing a request for person information that was removed by the 2020 Act – the ability to refuse on the basis the information requested is not readily retrievable.  You can read more about this change in this piece from the Privacy Foundation.

Other changes include a clarification that an agency who is acting solely as an agent of another agency (ie a service provider, or processor to use GDPR speak) will not be liable for privacy breaches, and providing the Privacy Commissioner with more discretion to not investigate a complaint made to him ie on the basis such an investigation would be ‘inappropriate’.