Under the looming shadow of the European Union’s ongoing review of Aotearoa New Zealand’s adequacy status, the Government is considering amendments to the Privacy Act 2020 to promote and strengthen transparency around the collection, use and disclosure of personal information when personal information collected indirectly.
The Ministry of Justice, who administers the Privacy Act, is of the view that this can be achieved through broadening the disclosure requirements to apply to agencies who collect personal information via third parties. Through these changes, the Ministry is hoping to ensure that Aotearoa New Zealand keeps up to date with privacy laws and practices in overseas jurisdictions.
The Ministry has initiated a public feedback process on proposed changes to the Privacy Act, and is expecting submissions until 5PM on Friday, 30 September 2022. Submissions can be sent directly to privacyfeedback@justice.govt.nz.
The current notification requirements under the Privacy Act are found in Information Privacy Principles (IPP) 2 and 3. IPP 2 requires agencies to collect personal information directly from individuals concerned unless there is an applicable exception. IPP 3 provides for the primary disclosure requirements under the Privacy Act. Under IPP 3, where an agency seeks to collect personal information from the individual, the agency must take reasonable steps to ensure the individual is aware of key matters before the information is collected, or as soon as possible afterwards. Key matters include the fact that the information is being collected, the purposes of collection, and whether supplying personal information is voluntary or legally required.
The Ministry voices its concerns in its engagement document noting that the interplay between IPP 2 and 3 creates a gap in the current disclosure requirements, as the disclosure requirements under IPP 3 will not apply if information is not required to be collected directly from the individual concerned under an exception to IPP 2. The Ministry is of the view that this weakens the Privacy Act’s protections where personal information is collected indirectly from the individual in question.
The Ministry is considering several ways in which the disclosure requirements could be broadened, including:
The Government has recognised that the dramatic evolution of business models and technologies in recent years has resulted in a significant rise in the indirect collection of personal information. Increasing the transparency of indirect collection would provide individuals with more control over how agencies apply their personal information. This measure would also increase trust and safety in Aotearoa New Zealand privacy law.
The proposed changes to the notification requirement would also align the Privacy Act with corresponding international regulations. Aotearoa New Zealand agencies operating overseas are likely already required to comply with the broad notification requirements in the identified jurisdictions.
That being said, given the overseas examples provided, and the options considered by the Ministry, the changes signal that this recent move may be part of Aotearoa New Zealand’s efforts to maintain its GDPR adequacy status.
The Ministry has determined that voluntary guidance would not provide a sufficient solution to the issue.
The Ministry also notes that overseas jurisdictions generally have or are considering broad notification requirements for the indirect collection of personal information, and Aotearoa New Zealand should follow suit.
For example, Article 14 of the EU General Data Protection Regulation (GDPR) requires data controllers (the equivalent to ‘agencies’ in the Privacy Act) to provide data subjects (the equivalent to ‘individuals concerned’ in the Privacy Act) with certain information when the information is not obtained from the data subject (subject to the exceptions under Article 14 (5). Section 44(3) of the United Kingdom Data Protection Act 2018, also called UK GDPR, requires controllers to provide further information necessary to enable the data subjects to exercise their rights (such as right of access, rectification, or erasure etc.). Australian Privacy Principle 5 of the Privacy Act 1988 sets out a general notification requirement without drawing a distinction on the manner of collection.
The recent developments in Japan and South Korea are also mentioned, which introduced increased protections in relation to the notification requirements for agencies that indirectly collect personal information from EU individuals.
These examples provides useful hints as to where the Ministry may land with its recommendations to the Government on the changes to the Privacy Act.
Looking ahead, agencies should consider making a submission and keep an eye out for the potential changes in disclosure requirements in the months ahead. In the meantime, now is an opportune time to review your privacy practices, and ensure you are meeting your disclosure obligations (among others) under the Privacy Act.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Dentons | Attorney Advertising
Refine your interests »
This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.
Back to Top
Explore 2022 Readers’ Choice Awards
Copyright © JD Supra, LLC