Privacy Amendment Bill changes the requirements for the indirect collection of personal information
Written by Nick Aveling and Dan Barclay
The new Privacy Amendment Bill (“Bill”) proposes changes to the Privacy Act 2020, by introducing changes to enhance transparency when personal information is collected indirectly. This would better enable individuals to exercise their privacy rights when their personal information is being shared from a third-party source to an agency. This bill aims to align New Zealand’s privacy laws with international best practices.
The change is important as currently there is no requirement for an organisation to notify an individual when it collects personal information from an indirect or third-party source. As such, the individual may not know that an organisation holds and uses their personal information.
Under Information Privacy Principle 3A, organisations must inform individuals of:
- the fact the information has been collected;
- the name and address of the agency that has collected and holding the information;
- the purposes for which the information is being collected;
- the recipients of the information;
- whether the collection is authorised or required by the law; and
- the rights of access to, and correction of, the information.
The Bill also provides for several exceptions, exempting organisations from compliance with this Principle where:
- the individual is already aware of the collection.
- non-compliance does not prejudice the individual’s interests.
- compliance is impractical or would undermine the purpose of collection.
- information is publicly available, anonymised, or used for statistical purposes.
- compliance risks national security, trade secrets, or public safety.
The new obligations if enacted will come into force on 1 June 2025, but will not apply to personal information collected before this date. Organisations should be preparing for this by updating privacy policies, implementing systems to notify individuals, and creating contracts with third-party sources to ensure compliance. Regular Privacy Impact Assessments and audits should be conducted to identify risks and maintain compliance with the amended Act.
The Bill has widespread political support, making its passage likely. For organisations, these changes may pose challenges, particularly where no direct relationship exists with the individual. Best practices include revising policies to explain the indirect collection methods, ensuring access requests are available to individuals, and establishing robust privacy frameworks. Compliance will require significant planning for sectors that rely on third-party data sources.
For more information refer to the Privacy Amendment Bill 292-1 (2023), Government Bill Explanatory note – New Zealand Legislation or reach out to one of our team to guide you in making the necessary changes.