Why are these changes being proposed?

Currently, the notification requirements set out in the Privacy Act are as follows:

• information privacy principle 2 of the Privacy Act generally requires information to be collected directly from the individuals concerned, but does permit indirect collection in certain circumstances, including where compliance is not reasonably practicable in the circumstances; and

• information privacy principle 3 of the Privacy Act requires an individual to be notified by an agency of certain matters (usually those set out in a privacy policy) if the agency is collecting information directly from the individual concerned.

This means that there is currently a gap in notification requirements where an agency relies on the exceptions in information privacy principle 2 to collect information about an individual indirectly from a third party. Some examples of indirect collection of personal information include:

• an organisation asking an individual to provide personal information about the individual’s next of kin; or

• an advertising agency collecting personal information about an individual from the website of a different organisation that the individual has signed up to.

In such cases, the individual may not be aware of the collection of their personal information Therefore they may not have been given the choice of whether or not to make that information available, or been made aware of rights they have to request access to, or correction of, their personal information.

Other jurisdictions have privacy laws with notification requirements covering indirect collection, including the General Data Protection Regulation that covers the EU, and the privacy laws of the UK and Australia. The Ministry of Justice has indicated that this change would ensure New Zealand keeps up to date with privacy laws and best practice in overseas jurisdictions. They would also support international trade, and in particular the cross-border flow of personal information as a basis for digital trade.

How will this affect your organisation?

The proposed changes will require an individual to be notified when an agency collects their personal information indirectly through a third party. This means that if your organisation collects personal information about individuals from a third party, you may need to:

• update your privacy policy; and

• have processes in place to be able to notify the individual of the indirect collection of their information.

It will be interesting to see how well this requirement would work in practice, as there could well be practical difficulties in notifying an individual with whom an organisation does not have a direct relationship.

To address this obligation under the Australian Privacy Act, guidance from the Office of the Australian Information Commissioner suggests that notification can be satisfied by ensuring that the original entity collecting the personal information has given notice of the relevant matters on behalf of the entity indirectly collecting the personal information.

Next steps

The Ministry of Justice wants to hear from stakeholders and the public on the form and scope of the proposals. The Ministry is keen to hear from agencies involved in the indirect collection of personal information, whether domestically or overseas, as well as from individuals whose personal information may be indirectly collected.

Further information on detail and background, and providing feedback, can be found in the Engagement Document released by the Ministry of Justice available here. Feedback is due by 5pm, Friday 30 September 2022.

It is interesting that this deadline is the same as the deadline to provide feedback to the Privacy Commissioner on how biometrics should be regulated to protect privacy in New Zealand.

We recommend businesses prioritise looking at their privacy policies and get in touch for best practice advice.

Special thanks to Po Tsai for his assistance in writing this article.